b'Audit Report\n\n\n\n\nOIG-09-050\nReport on Controls Placed in Operation and Tests of Operating\nEffectiveness for the Bureau of the Public Debt\xe2\x80\x99s\nFederal Investments Branch for the Period August 1, 2008\nto July 31, 2009\nSeptember 23, 2009\n\n\n\nOffice of\nInspector General\nDEPARTMENT OF THE TREASURY\nThis report has been reviewed for public dissemination by the Office of Counsel\nto the Inspector General. Information requiring protection from public\ndissemination has been redacted from this report in accordance with the\nFreedom of Information Act, 5 U.S.C. Section 552.\n\x0cInformation within Sections III and IV has been REDACTED\nunder FOIA Exemption 2, 5 U.S.C. \xc2\xa7552(b)(2):\n\nSection III:\n Control Objective 1 \xe2\x80\x93 System Software\n Control Objective 3 \xe2\x80\x93 Program Change Control\n Control Objective 4 \xe2\x80\x93 Physical Access\n Control Objective 5 \xe2\x80\x93 Logical Access\n Control Objective 7 \xe2\x80\x93 Network Performance Monitoring\nSection IV:\n CONTINGENCY PLANNING\n\x0c                                       DEPARTMENT OF THE TREASURY\n                                             W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF\nINSPECTOR GENERAL\n                                              September 23, 2009\n\n\n            MEMORANDUM FOR VAN ZECK, COMMISSIONER\n                           BUREAU OF THE PUBLIC DEBT\n\n            FROM:                   Michael Fitzgerald\n                                    Director, Financial Audits\n\n            SUBJECT:                Report on Controls Placed in Operation and Tests\n                                    of Operating Effectiveness for the Bureau of the\n                                    Public Debt\xe2\x80\x99s Federal Investments Branch for the\n                                    Period August 1, 2008 to July 31, 2009\n\n\n            I am pleased to transmit the attached Report on Controls Placed in Operation and\n            Tests of Operating Effectiveness for the Bureau of the Public Debt\xe2\x80\x99s (BPD) Federal\n            Investments Branch for the period August 1, 2008 to July 31, 2009. Under a\n            contract monitored by the Office of Inspector General, KPMG LLP, an independent\n            certified public accounting firm, performed the examination of the general computer\n            and investment/redemption processing controls related to BPD\xe2\x80\x99s transactions\n            processing of investment accounts for various Federal Government agencies (Fund\n            Agencies) for the period August 1, 2008 to July 31, 2009. The contract required\n            that the examination be performed in accordance with generally accepted\n            government auditing standards and the American Institute of Certified Public\n            Accountants\xe2\x80\x99 Statement on Auditing Standards Number 70, Reports on the\n            Processing of Transactions by Service Organizations, as amended.\n\n            The following reports, prepared by KPMG LLP, are incorporated in the attachment:\n\n                    \xe2\x80\xa2   Independent Service Auditors\xe2\x80\x99 Report; and\n                    \xe2\x80\xa2   Independent Auditors\xe2\x80\x99 Report on Compliance with Laws and Regulations.\n\n            In its examination of BPD\xe2\x80\x99s controls, KPMG LLP found:\n\n                \xe2\x80\xa2   the Description of Controls Provided by the BPD presents fairly, in all material\n                    respects, the relevant aspects of BPD\xe2\x80\x99s controls that had been placed in\n                    operation as of July 31, 2009,\n                \xe2\x80\xa2   that these controls are suitably designed to provide reasonable assurance that\n                    the specified control objectives would be achieved if the described controls\n                    were complied with satisfactorily and Fund Agencies and sub-service\n                    organizations applied the controls contemplated in the design of BPD\xe2\x80\x99s\n                    controls,\n\x0cPage 2\n\n\n   \xe2\x80\xa2   that the controls tested were operating with sufficient effectiveness to\n       provide reasonable, but not absolute, assurance that the control objectives\n       were achieved during the period from August 1, 2008 to July 31, 2009, and\n   \xe2\x80\xa2   no instances of reportable noncompliance with laws and regulations tested.\n\nIn connection with the contract, we reviewed KPMG LLP\xe2\x80\x99s reports and related\ndocumentation and inquired of its representatives. Our review, as differentiated\nfrom an audit in accordance with generally accepted government auditing standards,\nwas not intended to enable us to express, and we do not express, an opinion on\nBPD\'s description of controls, the suitability of the design of these controls and the\noperating effectiveness of controls tested or a conclusion on compliance with laws\nand regulations. KPMG LLP is responsible for the attached auditors\xe2\x80\x99 reports dated\nSeptember 18, 2009 and the conclusions expressed in the reports. However, our\nreview disclosed no instances where KPMG LLP did not comply, in all material\nrespects, with generally accepted government auditing standards.\n\nShould you have any questions, please contact me at (202) 927-5789, or a member\nof your staff may contact Mark S. Levitt, Manager, Financial Audits at\n(202) 927-5076.\n\nAttachment\n\x0c      U.S. Department of the Treasury\n         Bureau of the Public Debt\n\n\n\n       Federal Investments Branch\n         General Computer and\nInvestment/Redemption Processing Controls\n\n          (REDACTED VERSION)\n\n\n Report on Controls Placed in Operation and\n       Tests of Operating Effectiveness\nFor the Period August 1, 2008 to July 31, 2009\n\x0c                                U.S. DEPARTMENT OF THE TREASURY\n                                    BUREAU OF THE PUBLIC DEBT\n                                  FEDERAL INVESTMENTS BRANCH\n\n                  REPORT ON CONTROLS PLACED IN OPERATION AND\n                       TESTS OF OPERATING EFFECTIVENESS\n\n                                                     Table of Contents\n\nSection                                                  Description                                                                            Page\n\n   I. Independent Service Auditors\xe2\x80\x99 Report Provided by KPMG LLP ..........................................1\n\n  II. Description of Controls Provided by the Bureau of the Public Debt ......................................3\n\n      Overview of Operations .................................................................................................................4\n\n      Relevant Aspects of the Control Environment, Risk Assessment, and Monitoring.......................9\n\n              Control Environment............................................................................................................9\n              Risk Assessment...................................................................................................................9\n              Monitoring............................................................................................................................9\n\n      Information and Communication .......................................................................................... 11\n\n      Control Objectives and Related Controls\n          The Bureau of the Public Debt\xe2\x80\x99s control objectives and related controls are\n          included in Section III of this report, \xe2\x80\x9cControl Objectives, Related Controls,\n          and Tests of Operating Effectiveness.\xe2\x80\x9d Although the control objectives and\n          related controls are included in Section III, they are, nevertheless, an integral\n          part of the Bureau of the Public Debt\xe2\x80\x99s description of controls.\n\n      Fund Agency Control Considerations...........................................................................................13\n\n      Sub-service Organizations ............................................................................................................15\n\n III. Control Objectives, Related Controls, and Tests of Operating Effectiveness .......................16\n\n      General Computer Controls ..........................................................................................................17\n\n              System Software..................................................................................................................17\n              Vendor Software .................................................................................................................20\n              Program Change Control.....................................................................................................22\n              Physical Access ...................................................................................................................24\n              Logical Access ....................................................................................................................27\n              Computer Operations ..........................................................................................................30\n              Network Performance Monitoring ......................................................................................32\n\x0c      Investment/Redemption Processing Controls ...............................................................................33\n\n              Item Processing Security ....................................................................................................33\n              Item Capture........................................................................................................................34\n              Confirmations......................................................................................................................41\n              Fund Balance Adjustment ...................................................................................................43\n              Recordkeeping.....................................................................................................................45\n              Segregation of Duties ..........................................................................................................47\n              Interest Calculation and Payments ......................................................................................49\n              Statement Rendering ...........................................................................................................53\n\nIV.   Other Information Provided by Bureau of the Public Debt....................................................55\n\n      Contingency Planning ...................................................................................................................56\n\nV.    Independent Auditors\xe2\x80\x99 Report on Compliance with Laws and Regulations .........................57\n\x0cI.   INDEPENDENT SERVICE AUDITORS\xe2\x80\x99 REPORT\n             PROVIDED BY KPMG LLP\n\x0c                                KPMG LLP\n                                2001 M Street, NW\n                                Washington, DC 20036\n\n\n\n\n                             Independent Service Auditors\xe2\x80\x99 Report\n\nInspector General, U.S. Department of the Treasury\nCommissioner, Bureau of the Public Debt and the\nAssistant Commissioner, Office of Public Debt Accounting\n\n\nWe have examined the accompanying description of the general computer and\ninvestment/redemption processing controls related to the Federal Investments Branch (FIB) of the\nBureau of the Public Debt (BPD). Our examination included procedures to obtain reasonable\nassurance about whether (1) the accompanying description presents fairly, in all material respects,\nthe aspects of BPD\xe2\x80\x99s controls that may be relevant to a Fund Agencies\xe2\x80\x99 internal control as it\nrelates to an audit of financial statements; (2) the controls included in the description were\nsuitably designed to achieve the control objectives specified in the description, if those controls\nwere complied with satisfactorily, and Fund Agencies and sub-service organizations applied the\ncontrols contemplated in the design of BPD\xe2\x80\x99s controls; and (3) such controls had been placed in\noperation as of July 31, 2009. BPD uses services provided by other organizations external to\nBPD (\xe2\x80\x9csub-service organizations\xe2\x80\x9d). A list of sub-service organizations is provided in Section II\nof this report. Our examination did not extend to controls of sub-service organizations.\nTherefore, the accompanying description includes only those controls and related control\nobjectives of BPD, and does not include control objectives and related controls of sub-service\norganizations. The control objectives were specified by the management of BPD. Our\nexamination was performed in accordance with standards established by the American Institute of\nCertified Public Accountants and applicable Government Auditing Standards issued by the\nComptroller General of the United States and included those procedures we considered necessary\nin the circumstances to obtain a reasonable basis for rendering our opinion.\n\nIn our opinion, the accompanying description of the aforementioned controls presents fairly, in all\nmaterial respects, the relevant aspects of BPD\xe2\x80\x99s controls that had been placed in operation as of\nJuly 31, 2009. Also, in our opinion, the controls, as described, are suitably designed to provide\nreasonable assurance that the specified control objectives would be achieved if the described\ncontrols were complied with satisfactorily and Fund Agencies and sub-service organizations\napplied the controls contemplated in the design of BPD\xe2\x80\x99s controls.\n\nIn addition to the procedures we considered necessary to render our opinion as expressed in the\nprevious paragraph, we applied tests to specific controls, listed in Section III, to obtain evidence\nabout their effectiveness in meeting the control objectives, described in Section III, during the\nperiod from August 1, 2008 to July 31, 2009. The specific controls and the nature, timing, extent,\nand results of the tests are listed in Section III. This information is being provided to Fund\nAgencies of BPD and to their auditors to be taken into consideration, along with information\nabout the internal control of Fund Agencies, when making assessments of control risk for Fund\nAgencies. In our opinion, the controls that were tested, as described in Section III, were\noperating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the\ncontrol objectives specified in Section III were achieved during the period from August 1, 2008 to\nJuly 31, 2009.\n\n\n\n\n                                                             1\n                               KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                               member firm of KPMG International, a Swiss cooperative.\n\x0cThe relative effectiveness and significance of specific controls at BPD and their effect on\nassessments of control risk at Fund Agencies are dependent on their interaction with the controls,\nand other factors present at individual Fund Agencies. We have performed no procedures to\nevaluate the effectiveness of controls at individual Fund Agencies.\n\nThe description of controls at BPD is as of July 31, 2009, and the information about tests of the\noperating effectiveness of specific controls covers the period from August 1, 2008 to July 31,\n2009. Any projection of such information to the future is subject to the risk that, because of\nchange, the description may no longer portray the controls in existence. The potential\neffectiveness of specific controls at BPD is subject to inherent limitations and, accordingly, errors\nor fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on\nour findings, to future periods is subject to the risk that changes made to the system or controls, or\nthe failure to make needed changes to the system or controls, may alter the validity of such\nconclusions.\n\nThe information in Section IV of this report is presented by BPD to provide additional\ninformation and is not a part of BPD\xe2\x80\x99s description of controls placed in operation. The\ninformation in Section IV has not been subjected to the procedures applied in the examination of\nthe description of the controls applicable to the processing of transactions for Fund Agencies and,\naccordingly, we express no opinion on it.\n\nThis report is intended solely for the information and use of the management of BPD, its Fund\nAgencies, the independent auditors of its Fund Agencies, the U.S. Department of the Treasury\nOffice of Inspector General, the Office of Management and Budget, the Government\nAccountability Office, and the U.S. Congress, and is not intended to be, and should not be, used\nby anyone other than these specified parties.\n\n\n\n\nSeptember 18, 2009\n\n\n\n\n                                                2\n\x0cII. DESCRIPTION OF CONTROLS PROVIDED BY THE BUREAU OF THE\n                          PUBLIC DEBT\n\n\n\n\n                         3          Description of Controls Provided\n                                    by the Bureau of the Public Debt\n\x0cOVERVIEW OF OPERATIONS\nTreasury Directive 27-02, Organization and Functions of the Fiscal Services, dated May 23,\n1997, established the Bureau of the Public Debt\xe2\x80\x99s (BPD) responsibility to invest, approve\nschedules for withdrawals, and maintain accounts for the Federal Trust and Deposit Programs as\ndirected by statute, and certify interest rates determined by the Secretary of the U.S. Department\nof Treasury.\nBPD has assigned these responsibilities to the Division of Federal Investments (DFI), with the\nexception of interest certification, which is assigned to the Debt Accounting Branch. DFI\nmanages two functional areas: Trust Funds Management Branch (TFMB) and Federal\nInvestments Branch (FIB). FIB is responsible for processing investment transactions for 251\nFederal funds, authorized by law or the Secretary of the Treasury, that comprise the balances of\nthe Government Account Series (GAS). FIB processes these investment transactions based on\ndirection provided by the Federal agencies, which have programmatic responsibility for the use of\nthe fund balances (the Fund Agencies). FIB employs ten personnel and processes an average of\n300 transactions daily. FIB also performs the following operational duties:\n    \xe2\x80\xa2   Analyzes provisions and limitations of public laws relating to investments for\n        each account.\n    \xe2\x80\xa2   Establishes and controls the record keeping of Fund Agencies\xe2\x80\x99 accounts by\n        receiving and issuing investment documents such as the Request for Investment\n        and Redemption of Securities, Investment Confirmations and Monthly Statement\n        of Account.\n    \xe2\x80\xa2   Provides daily and monthly reports to Fund Agencies reflecting account activities\n        and balances.\nInvestment and redemption transaction records are maintained in both paper and electronic form.\nConfirmations are available in FedInvest and Monthly Statements of Account are available in\nFedInvest and are also published on the TreasuryDirect website for retrieval and review by Fund\nAgencies. FIB maintains and operates the InvestOne accounting system to perform the\noperational duties stated above. The InvestOne accounting system is a transaction-based\naccounting system for recording and processing investment security transactions for each of the\naccounts and provides information to the Public Debt Accounting and Reporting System (PARS)\nand the Intragovernmental Payment and Collection System (IPAC). The InvestOne accounting\nsystem computes daily, monthly, quarterly, semiannual, and annual interest income for each\naccount for each security held. It also calculates amortization, investment discount and premium\nfor investment and redemption transactions, Inflation Compensation Earned on the Treasury\nInflation Protected Securities (TIPS), and maintains summary account balances for each account\nas well as balances by type of security. Fund Agencies use FedInvest, a web-based extension of\nInvestOne, to enter investment and redemption requests, view transaction information, and obtain\nconfirmations and reports. Internal Fund managers use FedInvest and two additional extensions,\nCustomer Role Management (CRM) and Rate Price Administration (RPA), to process\ntransactions, manage users and accounts, and manage the application of pricing, rates, and\npending transactions.\nFIB processes investment transactions based on requests from Fund Agencies regarding security\ntype, maturity, and amount. Fund Agencies submit the investment/redemption requests via the\nInternet using FedInvest. When necessary, Fund Agencies can submit the investment/redemption\nrequests via fax, email, or hard copy form. The investment and redemption request processing for\nFund Agencies is summarized as follows.\n\n\n\n\n                                              4                 Description of Controls Provided\n                                                                by the Bureau of the Public Debt\n\x0cInvestment Request Processing\nTo establish access to FedInvest, the Fund Agency completes a FedInvest Logon-ID Request\nform and provides the form to a supervisor for approval. The supervisor reviews and approves\nthe form and submits the form to FIB. FIB verifies that the information is complete then e-mails\nthe IT Service Desk to request that the user be added to Contact Management. Once IT Service\nDesk notifies FIB that the user has been added to Contact Management, FIB provides the\nFedInvest Logon-ID Request form to the Division of Systems and Program Support (DSPS)\nInformation System Security Representatives (ISSRs) for user set-up in FedInvest. OIT provides\nthe new user with their user id and temporary password and contacts the user to login to\nFedInvest with the temporary password, answer security questions, and change the password.\nFIB then coordinates FedInvest training with the new user. When a FedInvest user is terminated,\nthe Fund Agency uses the above stated form to revoke access and submits the approved form to\nFIB. FIB follows the same process stated above to revoke the user.\nFund Agency users access FedInvest using their user ID and password. The Fund Agency user\nselects the Account Fund Symbol (AFS), date, security type, and investment amount in\nFedInvest.\nBefore Prices Loaded \xe2\x80\x93 The FedInvest user may enter investment requests before prices are\nloaded in the system for up to 10 business days in the future except for Zero Coupon Bonds and\nSpecial Issue Certificates of Indebtedness. Upon submission of the request, the user receives a\nconfirmation number which is proof to the customer that their request was accepted. When prices\nare loaded by the FIB accountant into the InvestOne accounting system, the FIB accountant uses\nthe FedInvest RPA module to load the prices into FedInvest, publish them on the website, and\napply the prices to the pending investment transactions. Once the price has been applied to the\ntransaction, it is automatically posted to the InvestOne accounting system evidenced by the\nreplacement of the confirmation number with a memo number on the confirmation available to\nthe user in FedInvest.\nAfter Prices Loaded \xe2\x80\x93 The FedInvest user may enter investment requests after prices are loaded\nexcept for Zero Coupon Bonds. Since FedInvest interfaces with the InvestOne accounting\nsystem, the InvestOne accounting system automatically assigns a memo number and applies the\nprice/rate. A confirmation of results is available in FedInvest to FedInvest users.\nZero Coupon Bond securities \xe2\x80\x93 The FedInvest user must enter investment requests by 11:00 am\nEST. FedInvest sends the request by email to the FIB accountants who forward the request to the\nU.S. Department of Treasury\xe2\x80\x99s, Office of Debt Management (ODM) for pricing. ODM prices the\npurchase of the Zero Coupon Bond at approximately 12:00 pm EST and forwards the results to\nFIB by email. The FIB accountant enters the pricing results into the InvestOne accounting\nsystem, posts the transaction, and forwards the memo number to the FedInvest user. A\nconfirmation of results is available in FedInvest to the FedInvest user.\nFIB may receive investment requests via fax, email, or hard copy from Fund Agencies when\nnecessary. A FIB accountant enters the request into FedInvest or the InvestOne accounting\nsystem on behalf of the Fund Agency. Then two FIB accountants compare the transaction\nconfirmation to the investment request to ensure the investment request is recorded accurately,\nposted to the correct day, and then initial the investment request to document their review. A\nconfirmation of results is available in FedInvest to the FedInvest user the same day. On the\nfollowing business day, a FIB accountant compares the InvestOne Spectra report (Prior Day\nReview) to the investment requests submitted by the Fund Agency to ensure transactions were\nproperly entered into the InvestOne accounting system.\n\n\n\n                                             5                 Description of Controls Provided\n                                                               by the Bureau of the Public Debt\n\x0cRedemption Request Processing\nTo establish access to FedInvest, the Fund Agency completes a FedInvest Logon-ID Request\nform and provides the form to a supervisor for approval. The supervisor reviews and approves\nthe form and submits the form to FIB. FIB verifies that the information is complete and e-mails\nthe IT Service Desk to request that the user be added to Contact Management. Once IT Service\nDesk notifies FIB that the user has been added to Contact Management, FIB provides a copy of\nthe FedInvest Logon-ID Request form to the DSPS ISSRs for user set-up in FedInvest. OIT\nprovides the new user with their user id and temporary password and contacts the user to login to\nFedInvest with the temporary password, answer security questions, and change the password.\nFIB then coordinates FedInvest training with the new user. When a FedInvest user is terminated,\nthe Fund Agency uses the above stated form to revoke access and submits the approved form to\nFIB. FIB then goes through the same process stated above to revoke the user.\nFund Agency users access FedInvest using their user ID and password. The Fund Agency user\nselects the AFS, date, inventory method (First-In First-Out (FIFO) or Specific ID), security type,\nand redemption amount in FedInvest.\nBefore Prices Loaded \xe2\x80\x93 The FedInvest user may enter Market-based bill, note, and bond\nredemption requests using the FIFO inventory method before prices are loaded in the system for\nup to 10 business days in the future. Upon submission of the request, the user receives a\nconfirmation number which is proof to the customer that their request was accepted. When\nprices are loaded by the FIB accountant into the InvestOne accounting system, the FIB\naccountant uses the FedInvest RPA module to load the prices into FedInvest, publish them on the\nwebsite, and apply the prices to the pending redemption transactions. Once the price has been\napplied to the transaction, it is automatically posted to the InvestOne accounting system\nevidenced by the replacement of the confirmation number with a memo number that is also on the\nconfirmation available to the user in FedInvest.\nAfter Prices Loaded \xe2\x80\x93 The FedInvest user may enter Market-based bill, note, bond and TIPS\nredemption requests using the FIFO or Specific ID inventory methods after prices are loaded in\nthe InvestOne accounting system and FedInvest. If Fund Agencies have tax lots (a group of the\nsame securities purchased on different dates) and decide to apply the specific identification\nmethod rather than the FIFO method to redeem from specific tax lots, Fund Agencies need to\nselect \xe2\x80\x9cSpecific ID\xe2\x80\x9d inventory method to override the InvestOne accounting system default\nsetting of the FIFO method, and enter the principal amount to redeem for each tax lot. Since\nFedInvest interfaces with the InvestOne accounting system, the InvestOne accounting system\nautomatically assigns a memo number and applies the price/rate. A confirmation of results is\navailable on FedInvest to FedInvest users.\nPar-value securities - Special par-value securities have unique redemption rules that require the\nInvestOne accounting system to redeem them based on the order of earliest maturity date, lowest\nprevailing interest rate, and FIFO. The FedInvest user receives a confirmation with a\nconfirmation number and a message that the Redemption rules will be applied in accordance with\nTreasury Fiscal Policy. The transaction will be pending until after the close of business on the\neffective date. At close of business (after 3:00 pm EST) on the effective date of the redemption,\nthe FIB accountant uses the FedInvest RPA module to run the Post Par Value Sell Transactions\nthat will process, post, and assign memo numbers to the pending redemption requests in the\nInvestOne accounting system using the unique redemption rules. A confirmation of results is\navailable in FedInvest to the FedInvest users.\n\nZero Coupon Bond securities \xe2\x80\x93 The FedInvest user must enter redemption requests into FedInvest\n(by 11:00 am EST) and FedInvest sends an email to the FIB accountants who forward the request\n\n\n                                              6                 Description of Controls Provided\n                                                                by the Bureau of the Public Debt\n\x0cto ODM for pricing. ODM prices the redemption of the Zero Coupon Bond at approximately\n12:00 pm EST and forwards the results to FIB via email. The FIB accountant enters the pricing\nresults into the InvestOne accounting system, posts the transaction, and forwards the memo\nnumber to the FedInvest user. A confirmation of results is available in FedInvest to the FedInvest\nusers.\n\nFIB may receive redemption requests via fax, email, or hard copy from Fund Agencies when\nnecessary. A FIB accountant enters the request into FedInvest or InvestOne accounting system\non behalf of the Fund Agency. Then two FIB accountants review and initial the redemption\nrequest. A confirmation of results is available in FedInvest to the FedInvest users the same day.\nOn the following business day, a FIB accountant compares the InvestOne Spectra report (Prior\nDay Review) to the redemption requests submitted by the Fund Agency to ensure the transactions\nwere properly entered into the InvestOne accounting system.\nFIB obtains and applies open market prices for securities negotiated by brokers and dealers of\ngovernment securities from the U.S. Department of the Treasury\xe2\x80\x99s ODM and the Federal Reserve\nBank (FRB) of New York.\nFIB functions do not encompass monitoring or determining rates, types and maturities of\ngovernment marketable securities. The Office of Information Technology (OIT) provides\napplication security (including passwords), processing, and report programming support to FIB\nincluding regular maintenance programming and user-requested program enhancements.\n\nThe BPD organization chart as it relates to FIB SAS70 follows on the next page.\n\n\n\n\n                                              7                 Description of Controls Provided\n                                                                by the Bureau of the Public Debt\n\x0cORGANIZATIONAL CHART\n\n\n\n\n                                                 (BPD)\n                                        Bureau of the Public Debt\n\n\n                 (OIT)                                                    (OPDA)\n   Office of Information Technology                                   Office of Public\n        IT support for Application Security,                          Debt Accounting\n    Application Processing, and Network Support\n\n\n\n\n                     (DSPS)                                                    (DFI)\n             Division of Systems and                                    Division of Federal\n                Program Support                                            Investments\n\n\n\n         (PSB)                      (SSB)                 (TFMB)                      (FIB)\n       Program                     Systems               Trust Funds                 Federal\n       Support                  Support Branch           Management                Investments\n        Branch                                             Branch                    Branch\n                                                         Federal Trust Fund             Process\n                                                           Management            Investment/Redemption\n                                                                                    Requests for Fund\n                                                                                 Agencies on InvestOne\n                                                                                   Accounting System\n\n\n\n\n                                                  8           Description of Controls Provided\n                                                              by the Bureau of the Public Debt\n\x0cRELEVANT ASPECTS OF THE CONTROL ENVIRONMENT, RISK\nASSESSMENT, AND MONITORING\n\nControl Environment\nOperations are primarily under the direction of the Office of the Director of the Division of\nFederal Investment (DFI) and the Director of the DSPS, which represent the functional areas\nlisted below:\n    \xe2\x80\xa2  Administrative development: Coordinates various aspects of FIB operations.\n       Identifies areas requiring internal controls and implements those controls.\n       Performs systems planning, development, and implementation. Reviews network\n       operations and telecommunications and performs disaster-recovery planning and\n       database administration.\n    \xe2\x80\xa2 Fund support: Supports end users (Fund Agencies) in all aspects of their use of\n       the application system including research and resolution of identified problems.\n     \xe2\x80\xa2 Operations: Manages daily computer operations, production processing, report\n       production and distribution, and system utilization and capacity.\nThe DFI and DSPS hold bi-weekly management meetings to discuss special processing requests,\noperational performance, and the development and maintenance of projects in process. Written\nposition descriptions for employees are maintained. The descriptions are inspected annually and\nrevised as necessary.\nReferences are sought and background, credit, and security checks are conducted for all BPD\npersonnel when they are hired. Additional background, credit, and security checks are performed\nevery three to five years. The confidentiality of user-organization information is stressed during\nthe new employee orientation program and is emphasized in the personnel manual issued to each\nemployee. BPD provides a mandatory orientation program to all full time employees and\nencourages employees to attend other formal outside training.\nAll BPD employees receive an annual written performance evaluation and salary review. These\nreviews are based on goals and objectives that are established and reviewed during meetings\nbetween the employee and the employee\xe2\x80\x99s supervisor. Completed appraisals are reviewed by\nsenior management and become a permanent part of the employee\xe2\x80\x99s personnel file.\nRisk Assessment\nBPD has placed into operation a risk assessment process to identify and manage risks that could\naffect FIB\xe2\x80\x99s ability to provide reliable transaction processing for users. This process requires\nmanagement to identify significant risks in their areas of responsibility and to implement\nappropriate measures to manage these risks.\nAdditionally, all mission-critical systems and general support systems are subject to an internal\nrisk-based review every three years. This review identifies assets and possible threats to these\nassets, provides a measure of vulnerability of the system to these threats, and confirms control or\nprotective measures are in place.\nMonitoring\nBPD management and supervisory personnel monitor the quality of internal control performance\nas a normal part of their activities. To assist them in this monitoring, BPD has implemented a\nseries of \xe2\x80\x9ckey indicator\xe2\x80\x9d management reports that measure the results of various processes\ninvolved in providing transaction-processing services to Fund Agencies. Key indicator reporting\nconsists of PARS posting summary reports to validate accuracy. All exceptions to normal or\n\n                                               9                 Description of Controls Provided\n                                                                 by the Bureau of the Public Debt\n\x0cscheduled processing through hardware and software, or procedural problems are also logged,\nreported and resolved daily. These reports are inspected daily and weekly by appropriate levels\nof management, and action is taken as necessary.\n\n\n\n\n                                            10                Description of Controls Provided\n                                                              by the Bureau of the Public Debt\n\x0cINFORMATION AND COMMUNICATION\n\nInformation Systems\nInvestOne Accounting System Description\nThe InvestOne accounting system is a vendor supplied accounting package used to record and\nreport investment fund activity processed by FIB. InvestOne is licensed by SunGard Investment\nSystems, Inc. (SunGard). The InvestOne accounting system resides on BPD\xe2\x80\x99s mainframe. OIT\nprovides the primary support for maintaining the InvestOne accounting system. This includes\nmainframe operations (batch processing and reporting), custom report writing, application change\nmanagement, data management, tape backup and recovery, user access security, remote access,\nand continuity management. The InvestOne accounting system is accessed through the network\nusing a terminal emulator software product that enables communication with OIT mainframe\napplications. The InvestOne accounting system also provides a report writer package called\nSpectra that provides users with the ability to create their own reports. FIB uses Spectra to create\nreports, which provide functionality not included in the standard InvestOne reports.\nFIB also receives supporting documentation/reports on a daily basis from internally-developed\nprograms created by programmers. These programs read the data from the InvestOne accounting\nsystem and create various reports to assist in FIB\xe2\x80\x99s daily processing. Specifically, data is\ndownloaded from the InvestOne accounting system to a data file located on the servers where the\nprograms execute. Data is not sent from these programs to the InvestOne accounting system.\nFedInvest Description\nFedInvest is a SunGard-developed, web-based extension to the InvestOne accounting system that\nprovides access to the federal investments information through the Internet. The system allows\nfederal investment fund managers to assume direct responsibility for managing their respective\naccounts. Using FedInvest, federal agencies are able to input transactions into the InvestOne\naccounting system, as well as view account statements and transaction information over the\nInternet. Additionally, FedInvest provides an interface to the InvestOne accounting system for\ninternal fund managers in BPD\xe2\x80\x99s DFI. FedInvest includes edits that serve to enforce federal\ninvestment program policies resulting in improved data quality in the InvestOne accounting\nsystem.\nFedInvest also includes two extensions that are available only to BPD internal users. The\nCustomer Role Management (CRM) module is used by DSPS ISSRs to manage FedInvest users\nand their access to associated investment account information. CRM is used by FIB accountants\nto manage security type and account information. CRM is also used to create and post broadcast\nmessages (announcements) that are seen by users signed onto the system, and establish e-mail\ncommunication to all system users and their agency Chief Financial Officers. The Rate Price\nAdministration (RPA) module is used by FIB accountants to load rates/prices, publish rates/prices\non the TreasuryDirect website, apply prices to pending market-based transactions, post pending\npar-value redemption transactions, and update FedInvest with the Consumer Price Index (CPI) for\nprocessing TIPS transactions.\nCommunication\nBPD has implemented various methods of communication to ensure that all employees\nunderstand their individual roles and responsibilities over transaction processing and controls.\nThese methods include orientation and training programs for newly hired employees, and use of\nelectronic mail messages to communicate time sensitive messages and information. Managers\nalso hold periodic staff meetings as appropriate. Every employee has a written position\n\n\n                                               11                Description of Controls Provided\n                                                                 by the Bureau of the Public Debt\n\x0cdescription that includes the responsibility to communicate significant issues and exceptions to an\nappropriate higher level within the organization in a timely manner.\n\n\n\n\n                                              12                 Description of Controls Provided\n                                                                 by the Bureau of the Public Debt\n\x0cFUND AGENCY CONTROL CONSIDERATIONS\n\nBPD\'s general computer and investment/redemption processing controls related to FIB were\ndesigned with the expectation that certain internal controls would be implemented by Fund\nAgencies. The application of such controls by the Fund Agencies is necessary to achieve all\ncontrol objectives identified in this report, since FIB is a servicing organization that processes\ntransactions that directly affect Fund Agencies.\n\nThis section describes certain controls that Fund Agencies should consider for achievement of\ncontrol objectives identified in this report. The Fund Agency control considerations presented\nbelow should not be regarded as a comprehensive list of all controls that should be employed by\nFund Agencies. Fund Agencies should establish controls to:\n\n\xe2\x80\xa2   Ensure that access to FedInvest is restricted to properly authorized individuals.\n\n\xe2\x80\xa2   Provide applicable legislation to FIB, and any subsequent legislation revisions, that\n    authorizes the Fund Agency to invest.\n\n\xe2\x80\xa2   Verify the authority to invest prior to submitting investment/redemption requests.\n\n\xe2\x80\xa2   Ensure that only authorized personnel sign requests or submit transactions in FedInvest.\n\n\xe2\x80\xa2   Ensure that the submission of investment/redemption requests in FedInvest is accurate and\n    completed prior to 3:00 pm EST (11:00 am EST for Zero Coupon Bonds).\n\n\xe2\x80\xa2   Notify FIB if the investment/redemption requests have been processed incorrectly so that\n    correcting transactions may be processed before 3:00 pm EST.\n\n\xe2\x80\xa2   Review investment/redemption/maturity/interest confirmations and Monthly Statements of\n    Account to ensure that each request was processed accurately, timely, and in accordance with\n    their instructions.\n\n\xe2\x80\xa2   Track investment/redemption confirmations to ensure that the Fund Agency FedInvest user\n    correctly processes all requests.\n\n\xe2\x80\xa2   Review and reconcile all transaction confirmations to determine that they are accurate and\n    complete, and report discrepancies to FIB so that correcting transactions may be processed\n    before 3:00 pm EST.\n\n\xe2\x80\xa2   Review adjustments and make prompt and appropriate journal entries to the accounting\n    records, to adjust the investment and interest account balances.\n\n\xe2\x80\xa2   Review Monthly Statements of Account to verify that adjustments were processed completely\n    and accurately.\n\n\xe2\x80\xa2   Ensure that the requested investment returns the appropriate amount of interest to meet\n    investment income goals.\n\n\xe2\x80\xa2   Reconcile interest payments received as presented in the confirmations and Monthly\n    Statements of Account and recalculate interest for accuracy.\n\n                                               13                 Description of Controls Provided\n                                                                  by the Bureau of the Public Debt\n\x0c\xe2\x80\xa2   Approve reinvestments of interest after review for accuracy, completeness, and compliance\n    with instructions.\n\n\xe2\x80\xa2   Recalculate interest accrual and amortization of premium and/or discount and compare the\n    results to the BPD provided monthly Accrual Confirmation and Accrual Activity Reports.\n\n\xe2\x80\xa2   Report any interest accrual discrepancies noted on the monthly Accrual Confirmation and\n    Accrual Activity Reports to BPD for resolution.\n\n\xe2\x80\xa2   Report any premium and/or discount amortization discrepancies noted on the monthly\n    Accrual Confirmation and Accrual Activity Reports to BPD for resolution.\n\n\xe2\x80\xa2   Review FIB provided Monthly Statements of Account to ensure that transactions are recorded\n    accurately and timely, and report discrepancies to FIB so correction processes may occur.\n\n\xe2\x80\xa2   Reconcile investment activity from Financial Management Service application\n    Governmentwide Account Statements to the FIB provided Monthly Statements of Account to\n    verify that investment activity is being properly reported by FIB on the Fund Agencies\xe2\x80\x99\n    behalf.\n\nSpecific Fund Agency control considerations are provided for Control Objectives 5, 8, 9, 10, 11,\n13, 14, and 15 in the Control Objectives, Related Controls, and Tests of Operating Effectiveness\nsection of this report.\n\n\n\n\n                                             14                Description of Controls Provided\n                                                               by the Bureau of the Public Debt\n\x0cSUB-SERVICE ORGANIZATIONS\n\nIn order to provide investment/redemption processing services, FIB relies on systems and\nservices provided by other organizations external to BPD (\xe2\x80\x9csub-service organizations\xe2\x80\x9d). The\nfollowing describes the sub-service organizations used by FIB that are included in this report.\nKPMG LLP\xe2\x80\x99s examination did not extend to controls of these sub-service organizations and\nassociated systems.\n\n  Name of Sub-service Organization                  Function/Responsibilities\n\n\n                                         On a daily basis, FIB obtains Treasury Price Quote\n Federal Reserve Bank (FRB) of New\n                                         files via digital certificate from a secure FRB\n York\n                                         website. FIB uses these price quote files to\n                                         calculate the market-based security prices that can\n                                         be loaded into the InvestOne accounting system\n                                         and compared to the price files provided by ODM.\n                                         On a daily basis, FIB received a daily repurchase\n                                         rate for one-day certificates from the FRB of New\n                                         York through November 2, 2008. Beginning\n                                         November 3, 2008, the one-day rate is linked to\n                                         the shortest regularly issued Treasury security,\n                                         currently the 4 week bill. FIB receives this from\n                                         the Office of Debt Management (see below).\n                                         On a daily basis, the ODM provides FIB the daily\n Treasury \xe2\x80\x93 Office of Debt\n                                         security price files for market-based transactions.\n Management (ODM)\n                                         Additionally, as needed, ODM provides FIB with\n                                         the Zero Coupon Bond pricing. Beginning\n                                         November 3, 2008, ODM provides FIB the Daily\n                                         Market Quotations on Most Recently Auctioned\n                                         Treasury Bills used for the rate for the one-day\n                                         certificates.\n                                        Treasury\xe2\x80\x99s FMS provides daily and monthly reports\n Treasury \xe2\x80\x93 Financial Management\n                                        to FIB, including IPAC reports, and GWA account\n Service (FMS)\n                                        statements. FIB uses these reports to verify the\n                                        accurate posting of transactions and data.\n\n\n\n\n                                            15                Description of Controls Provided\n                                                              by the Bureau of the Public Debt\n\x0cIII.   CONTROL OBJECTIVES, RELATED CONTROLS, AND\n           TESTS OF OPERATING EFFECTIVENESS\n\n\n\n\n                      16   Control Objectives, Related Controls, and\n                                    Tests of Operating Effectiveness\n\x0cGENERAL COMPUTER CONTROLS\n\nControl Objective 1 \xe2\x80\x93 System Software\nControls provide reasonable assurance that implementation and changes to system software are\nauthorized, tested, approved, properly implemented, and documented.\nDescription of Controls\nThe Bureau of the Public Debt (BPD) has documented procedures for the authorization, testing,\napproval, implementation, and documentation of system software changes.\nThe InvestOne accounting system operates within a mainframe environment 1 . The FedInvest\nsystem is operated within a client-server environment 2,3 . Mainframe and client-server system\nsoftware products are under vendor control for maintenance and support. Upgrades to these\nproducts are obtained from the vendors and installed by the Office of Information Technology\n(OIT) specialists.\nFor system software changes, BPD uses the iET product for change management. All system\nsoftware changes (i.e., new product installations, maintenance upgrades, etc.) require a change\nrecord to be opened in iET. A change record can be opened by any specialist in OIT\xe2\x80\x99s division\nresponsible for effecting such changes or the change control coordinator. The iET change record\nincludes a description of the change, implementation date of the change, a justification, and a\nback-up/back-out plan.\nChanges are initially discussed at the weekly change control meetings. Attendees include OIT\nrepresentatives impacted by the proposed change. Notification is sent to the assistant\ncommissioner, division directors, branch managers and/or staff personnel. Following the\nmeeting, the change control coordinator prepares and distributes the Weekly Change Control\nMemorandum with information on changes for the upcoming week. This memorandum describes\nthe system changes, effective dates, reasons for changes or problems the changes will resolve.\nThere is also a reference to the iET change control number.\nBefore system software changes can be moved to production, they are tested in accordance with\nthe BPD\xe2\x80\x99s system software change control procedures. These procedures document the\nauthorization, testing, approval, implementation, and documentation requirements for system\nsoftware changes. Changes progress through various environments, which differ according to the\ntype of system infrastructure. For the mainframe, there are three separate environments: test,\n\n1\n    Which consists of the following system software products:\n       (\n       b\n       )\n       (\n       2\n       )\n2\n    The FedInvest system is composed of the following system software components:\n     (\n     b\n     )\n     (\n     2\n3\n  Reliant\n     ) Services:\n     (\n     b\n     )\n     (                                                          17        Control Objectives, Related Controls, and\n     2                                                                             Tests of Operating Effectiveness\n     )\n\x0cacceptance, and production. Each environment is a logical environment with its own software,\ndatasets, and libraries. Mainframe changes are first tested by a programmer in the test\nenvironment; changes are moved to the production environment following approval. For changes\nto distributed software, changes are promoted up through integration, acceptance, and production\nregions within similar controls described above.\nAll changes are reviewed and coordinated at the weekly change control meeting, and approved by\nthe change control coordinator prior to being moved into the production environment.\nAll emergency changes follow the same process as indicated above, with the exception that\nchanges move through the environments at an accelerated rate. Testing and approval of these\nchanges are documented in iET.\nBPD has established a process that allows system programmers and database administrators to\nhave temporary access to the Production mainframe environment through the use of a \xe2\x80\x9cfire-call\xe2\x80\x9d\nID product that allows them elevated privileges for system software and application changes.\nThe operating system is configured to monitor and log such activity for review and approval by\nmanagement; management reviews these logs within a reasonable timeframe after the use of "fire-\ncall".\nOIT reviews the use of sensitive system utilities included in the protected programs group on a\nweekly basis and limits access to these programs based on job responsibility.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. Inspected written procedures for system software configuration management and determined\n   that procedures were documented, including procedures to document, test, authorize, and\n   approve system software changes, and properly implement changes into production.\n\n2. Inspected the emergency system software change procedures and determined that procedures\n   for implementing emergency system software changes were documented, including approval\n   by management.\n\n3. Inspected vendor maintenance support contracts for system software and determined that the\n   contracts existed and were current.\n\n4. For a selection of system software change records, inspected iET tickets and determined that\n   iET was used throughout the examination period to log, track, and monitor system software\n   changes.\n\n5. For a selection of dates, inspected Weekly Change Control Memorandums and determined\n   that weekly change control meetings were held to discuss planned changes with the potential\n   to impact the InvestOne accounting system or FedInvest application system software.\n\n6. For a selection of system software changes and emergency system software changes,\n   inspected supporting documentation and determined that the changes were tested, authorized,\n   and approved prior to implementation.\n\n7. For a selection of system software changes, inspected supporting documentation and\n   determined that the changes were approved.\n\n8. Inspected a list of users with access to use fire-call and determined that the list was\n   commensurate with job responsibilities.\n\n\n                                             18       Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0c9. For a selection of days, inspected fire-call logs and evidence of review, and determined that\n   fire-call logs were reviewed by OIT management.\n\n10. For a selection of weeks, inspected evidence of OIT\xe2\x80\x99s review of reports for sensitive system\n    utilities in the protected programs group and determined that the reports were reviewed.\n\n\nNo exceptions noted.\n\n\n\n\n                                             19       Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0cControl Objective 2 \xe2\x80\x93 Vendor Software\nControls provide reasonable assurance that implemented new releases of vendor-supplied\napplications are authorized, tested, approved, properly implemented, and documented.\nDescription of Controls\nBPD has documented procedures for the testing and authorization of new releases of vendor\nsupplied applications. The change control process is under the control and direction of the Office\nof Public Debt Accounting (OPDA).\nThe InvestOne accounting system is licensed by SunGard Investment Systems, Inc (SunGard).\nBPD has a maintenance and support contract for InvestOne with SunGard. For the period of\nAugust 1, 2008 through September 30, 2008, BPD also had a maintenance and support contract\nfor the FedInvest system with SunGard. Starting on October 1, 2008 through July 31, 2009, OIT\nwas responsible for of all maintenance and support of the FedInvest system.\nSunGard periodically provides new releases of InvestOne, including documentation. Each new\nrelease requires comprehensive testing. The Division of Systems and Program Support (DSPS)\ntests new InvestOne releases developed by SunGard consistent with change control procedures\nfor OPDA systems. New InvestOne releases are initially installed in the Test environment where\nthey are subjected to integration testing. After successful completion of testing, the InvestOne\nnew release is migrated by OIT to the Acceptance environment, where it is subjected to\nacceptance testing by users. An InvestOne new release will be installed in the Production\nenvironment only after all testing has been successfully completed and management has approved\nthe new release for implementation in the Production environment. No releases were issued\nbetween August 1, 2008 and July 31, 2009.\nIn addition to new releases, SunGard will periodically provide fix tapes for the InvestOne\naccounting system. Fix tapes, which address certain InvestOne issues, are narrower in scope than\nnew releases. Based on what changes a particular fix tape includes, BPD management will\ndecide whether or not to implement the fix tape. If BPD management decides to implement the\nfix tape, the fix tape is migrated through the Test and Acceptance environments. Fix tapes are\ninstalled in the Production environment only after successful completion of testing in the Test and\nAcceptance environments and management approval for migration into the Production\nenvironment.\nDSPS also tests changes to the InvestOne application reports, developed by SunGard Investment\nSystems, Inc. using the same change control procedures described above.\nIn addition, BPD uses the version control software to manage the upgrades and enhancements.\nChanges are only migrated into the production environment once all responsible parties approve\nthe change in the version control software. Access to migrate changes via the version control\nsoftware is limited based on job responsibility.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. Inspected procedures for the implementation of new releases of vendor supplied applications,\n   and determined that they were documented and included requirements for authorization,\n   testing, documentation, and approval.\n\n2. Inspected vendor maintenance support contracts for the InvestOne accounting system\n   software and determined that the contracts existed and were current.\n\n\n\n\n                                              20        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c3. Inspected vendor maintenance support contracts for FedInvest software and determined that\n   the contracts existed and were current.\n\n4. Observed the version of the InvestOne accounting system and compared it to the prior year\n   version and noted that the version had not changed during the period under examination.\n\n5. For the fix tapes implemented during the examination period, inspected documentation of test\n   results and approvals for implementation and determined that the fix tapes had been tested\n   and approved prior to implementation into production.\n\n6. Inspected version control software access permissions and determined that access\n   permissions to migrate changes to the production environment were restricted commensurate\n   with job responsibilities.\n\n\nNo exceptions noted.\n\n\n\n\n                                            21        Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0cControl Objective 3 \xe2\x80\x93 Program Change Control\nControls provide reasonable assurance that development of new applications and changes to existing\napplications are authorized, tested, approved, properly implemented, and documented.\nDescription of Controls\nBPD has documented procedures for the authorization, testing, approval, implementation, and\ndocumentation of application software changes. The change control process is under the control\nand direction of OPDA.\nSunGard has custom built additional application components for InvestOne data entry and\nreporting. Included is the FedInvest application, which functions as a web-based user interface\nthat customer agencies can use for entering transactions into the InvestOne accounting system.\nFor reporting, BPD has built internally-developed programs utilizing RM (desktop) COBOL and\nmainframe COBOL that generate customized reports to provide information unavailable in the\nstandard InvestOne reporting package.\nFor RM COBOL, OIT uses a version control software 4 to control access to source code for these\ninternally-developed programs and to facilitate version control by requiring developers to check\nsource code in and out using version control software. These programs read the data from the\nInvestOne accounting system and create reports. Specifically, data is downloaded from\nInvestOne, using standard InvestOne processes, to a data file on the mainframe then via ftp to the\nservers where the programs execute. Data is not sent from these programs to the InvestOne\naccounting system. The reports are used by the trust fund managers, sent to Fund Agencies, or\nsent to U.S. Department of Treasury\xe2\x80\x99s Financial Management Service, the Office of Debt\nManagement and Office of Fiscal Projection. The Congressional Budget Office also receives\nreports generated from the InvestOne accounting system.\nFor mainframe COBOL, OIT uses a version control software 5 to control access to source code for\nthese internally-developed programs and to facilitate version control. These programs were\ndeveloped by OIT and reside on the mainframe, where these programs execute.\nFor FedInvest and customized reports, OIT uses a version control software 6 to control access to\nsource code for the vendor supplied and BPD managed programs to facilitate version control.\nChanges to FedInvest were developed by SunGard between August 1, 2008 and September 30,\n2008 and by OIT between October 1, 2008 and July 31, 2009.\nDSPS provides support for the design and testing of the above changes. DSPS creates the\nrequirements documentation, which is then provided to OIT (or SunGard) for development.\nDSPS manages the request, documentation, testing, and approval process using a Change Control\nChecklist and iET.\nChanges using version control software progress through three separate environments: Test or\nIntegration, Acceptance, and Production. A change is first tested by the programmer in the Test\nor Integration environment. It is then migrated to the Acceptance environment where a user tests\nthe change using example transactions and Acceptance environment files and libraries.\nEach change is reviewed by the user groups that are affected by the change, and each group\nprovides user concurrence that they accept the change. Following user concurrence, a senior staff\nmember reviews the testing materials and completes the Change Control Checklist indicating that\n\n\n4 (b) (2)\n5 (b) (2)\n6 (b) (2)\n\n\n\n                                               22        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0ctesting has been completed. The package is provided to the DSPS Branch Manager for final\nreview and approval.\nOnce the DSPS Branch Manager approves the change, DSPS sends a Network Services Request\nto OIT to move the change into the Production environment. Upon notification of an accepted\nchange, OIT creates an update package in version control software. Only approved changes are\ninstalled in the Production environment.\nFor mainframe COBOL, the version control software is an application through which users\napprove changes. This version control software is also used to move changed program files into\nthe Production environment. This version control software will not allow changes to be migrated\nfrom the Acceptance environment into production until the changes have been approved. Access\nto migrate changes to Production via the version control software change control software is\nlimited based on job responsibility.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. Inspected application software change procedures and determined that they were documented\n   and included requirements for authorization, testing, documentation, and approval.\n\n2. Inspected the access permissions and inquired of OIT management and determined that\n   access to source code for internally-developed programs was commensurate with job\n   responsibilities, with the following exception noted:\n\n   \xe2\x80\xa2   A member of OIT had the capability to make a change to the RM COBOL source code\n       and migrate the changed source code into the production environment. In addition, when\n       an OIT programmer makes a change to the RM COBOL source code, it is the\n       programmer\xe2\x80\x99s responsibility to initiate a code review by another member of OIT. Under\n       this process, coupled with the item noted above, it is possible that code may be migrated\n       without review or approval.\n\n       Management Response: BPD is in the process of developing a new standard operating\n       procedure for migration of RM COBOL code to production which will not allow the\n       programmers making changes, to migrate the code into production.\n\n3. Inspected the access control lists for FedInvest and customized reports version control\n   software and determined that access to the source code for FedInvest was commensurate with\n   job responsibilities.\n\n4. Inspected a selection of change records in iET and determined that iET was used throughout\n   the examination period to log, track, and monitor application software changes.\n\n5. For a selection of application software changes, inspected supporting documentation and\n   determined that the changes were tested and approved.\n\n6. Inspected version control software access permissions and determined that access\n   permissions to migrate changes to the production environment were restricted commensurate\n   with job responsibilities for mainframe COBOL and FedInvest.\n\n\nNo exceptions noted, except as described above.\n\n\n                                            23        Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0cControl Objective 4 \xe2\x80\x93 Physical Access\nControls provide reasonable assurance that physical access to computer equipment and storage\nmedia is restricted to authorized individuals.\nDescription of Controls\nBPD has documented policies and procedures for controlling physical access to BPD buildings\nand to the data center. These include:\n     \xe2\x80\xa2     Identification of sensitive/critical areas to which access needs to be restricted.\n     \xe2\x80\xa2     Physical access controls designed to detect unauthorized access.\n     \xe2\x80\xa2     Procedures for log reviews and investigation of violations.\nThe InvestOne mainframe and FedInvest servers reside in OIT\xe2\x80\x99s data center. Various physical\naccess controls protect the facilities. 7\nThe Security Branch issues employee badges, after performing security background checks and\nfingerprinting.\nEmployees are required to have badges available at all times upon request.\nTerminated employees are required to surrender identification badges and are removed from the\ndatabase security system immediately.\nPhysical access to the OIT Data Center is restricted to authorized users only. An employee\nneeding access to the data center must have his/her Branch Manager request access. The requests\nare made through iET, a workflow system that is used to approve data center access. After the\nBranch Manager completes and submits the iET request form, requests are forwarded to OIT\'s\ndata center managers for approval in the iET. If OIT approves the request, the BPD Division of\nSecurity and Emergency Preparedness (DSEP) Security Branch grants access. Access to all\nsensitive areas requires use of a badge. The use of a badge provides an audit trail that is reviewed\nby OIT management monthly for potential access violations. Any unauthorized access attempts\nare followed-up on by contacting the individual\xe2\x80\x99s supervisor. Individuals without badge access to\nthe data center must be escorted to the command center and are required to sign in/out of a Visitor\nlog to be issued a data center visitor badge. Visitor badges do not have access to the data center,\nbut rather designate the individual as a visitor. A visitor log is maintained at the main entrance to\nthe data center. 8\nOIT performs a monthly review and reconciliation of individuals with data center access to\nindividuals authorized to have data center access. Additionally, OIT performs an annual review\nand recertification of individuals with access to the data center. If an individual is found to have\nunauthorized data center access, OIT will, based on the individual\xe2\x80\x99s need for access, make a\ndecision whether to request that DSEP remove their data center access or whether to provide\nauthorization for their access.\n\n\n\n\n7\n Armed security guards man and monitor BPD facilities 24 hours a day, 7 days a week. A digital video camera system monitors all\nentrances, the building perimeter, and certain interior areas, including the data center, and records activity 24 hours a day.\n\nAll people entering each building are required to place any materials, packages, bundles, etc. onto an x-ray machine. Entrants are also\nrequired to pass through a walkthrough metal detector. An activation of the walkthrough metal detector results in further screening by\nthe security guard, utilizing a handheld metal detector to identify the source of activation. In addition, entrants must swipe their badges\ninto an access control system that grants access to authorized personnel.\n8\n  Only designated DSEP specialists have access to PACS. Vendors that are authorized to have a badge are issued a One-day badge\nand must leave their access badge onsite following completion of work in the data center. A log of One-Day badges is maintained and\nreviewed (b) .\n         (2)\n                                                                 24            Control Objectives, Related Controls, and\n                                                                                        Tests of Operating Effectiveness\n\x0cTests of Operating Effectiveness and Results of Testing\n\n1. Inspected physical access policies and procedures for the data center and determined that they\n   were documented and included the identification of sensitive/critical areas to which access\n   needs to be restricted, physical access controls designed to detect unauthorized access, and\n   procedures for log reviews and investigation of violations.\n\n2. Observed physical access controls of BPD buildings and the OIT data center and noted that\n   security guards, video cameras, badge readers, displayed badges by employees, and locked\n   doors were in place and in operation to restrict access.\n\n3. Observed persons entering BPD buildings and noted that persons were required to place any\n   materials, packages, bundles, etc. onto an x-ray machine, and additionally were required to\n   pass through a walkthrough metal detector.\n\n4. Observed persons entering BPD buildings and noted that an activation of the walkthrough\n   metal detector resulted in further screening by the security guard, utilizing a handheld metal\n   detector to identify the source of activation.\n\n5. Observed entrants swipe their badges into the access control system and noted that the\n   controls system granted access to authorized personnel.\n\n6. For a selection of personnel granted data center access, inspected supporting documentation\n   and determined that access badges were issued to personnel with a completed background\n   check and fingerprinting.\n\n7. Observed employees within the BPD buildings and noted that badges were displayed.\n\n8. Inspected the data center access list and compared to a list of separated employees and\n   determined that separated employees were removed from the badge reader system.\n\n9. Inspected a list of employees with card key access to the data center and tape storage room\n   from the card security system and an OIT phone list showing employees requiring access to\n   the data center and tape storage room and determined that physical access to the OIT data\n   center was restricted to authorized employees only.\n\n10. For a selection of employees and contractors granted access to the data center during the\n    examination period, inspected the iET record for the access grant and determined that access\n    was approved by the data center manager.\n\n11. Inspected permissions to access the PACS badge system of BPD security management, and\n    determined that access permissions to the physical access systems were commensurate with\n    job responsibilities.\n\n12. For a selection of months, inspected evidence of the monthly review of violation logs and\n    determined that a review to identify unauthorized access attempts was performed and\n    violations were followed-up on.\n\n13. For a selection of dates, inspected visitor logs and determined that visitor logs were reviewed\n    by OIT management.\n\n\n\n                                              25        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c14. For a selection of days, inspected shift logs and determined that an inventory of vendor\n    badges was performed.\n\n15. Inspected documentation of the semi-annual review of physical access privileges to the data\n    center and determined that access privileges were reviewed.\n\n16. Inspected documentation of the annual recertification of physical access privileges to the data\n    center and determined that access privileges were recertified.\n\n\nNo exceptions noted.\n\n\n\n\n                                              26        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cControl Objective 5 \xe2\x80\x93 Logical Access\nControls provide reasonable assurance that logical access to system and application software is\nrestricted to authorized individuals.\nDescription of Controls\nBPD has guidelines for the preparation of security plans for applications and systems that process\nSensitive but Unclassified information. All mission-critical systems and general support systems\nare subject to an internal risk-based review every three years. This review identifies assets and\npossible threats to these assets, provides a measure of vulnerability of the system to these threats,\nand confirms control or protective measures are in place.\nThe InvestOne accounting system is classified as a mission-critical system.\nInvestOne security along with the host mainframe\xe2\x80\x99s security package controls access to the\nInvestOne accounting system. InvestOne restricts access to accounts within the system based on\nusers identification (UID). InvestOne access is restricted to authorized personnel. The security\npackage is also used to restrict OIT personnel\xe2\x80\x99s access to system software, database files, and\nprogram libraries.\nFedInvest is a web-based user interface through which users have access to enter transactions into\nand view InvestOne accounting system data. External users are limited to accessing InvestOne\naccounting system data through FedInvest. External users that invest in Government Account\nSeries (GAS) securities are able to connect to FedInvest over the Internet to input transactions\ninto the InvestOne accounting system as well as to view account statements and transaction\ninformation.\nAdministrator access permissions are assigned to FedInvest and the InvestOne accounting system\nusers commensurate with their job responsibilities.\nOPDA follows BPD system administration security password guidelines/procedures to establish\nand maintain passwords. 9 Passwords are not displayed when entered. The reserved word feature\nis enabled to prevent the use of commonly used words in passwords.\nInformation System Security Representatives (ISSRs) manage access to the InvestOne accounting\nsystem. Users must complete and submit an Access Request/Revoke Form to the Division of\nFederal Investments (DFI) who approves the form and forwards to DSPS before access is\ngranted. DFI personnel authorize the form and forward to OPDA ISSRs to process the request.\nDSPS has documented procedures for granting access. Modifications to user accounts require use\nof the same Access Request/Revoke Form.\nExternal users must have their supervisor\xe2\x80\x99s approval along with DFI approval documented on an\nAccess Request/Revoke form before access is granted to FedInvest. When an external user\naccesses InvestOne data, they enter a user ID and password into FedInvest. User IDs are\nauthenticated by a security utility 10 . If the required authentications failed, the user would be\nprevented from accessing InvestOne data through FedInvest.\nISSRs remove FedInvest and InvestOne access from users at the request of their\nmanagers/supervisors or FIB personnel. Each access removal request is documented on an\nAccess Request/Revoke Form.\n\n\n9\n    These guidelines require passwords (b)   (2)\n10 BPD\'s standard authentication utility, BPDLogin, is used to authenticate users.   (b) (2)\n        ."\n\n                                                               27            Control Objectives, Related Controls, and\n                                                                                      Tests of Operating Effectiveness\n\x0cOn a routine basis, an ISSR reviews Internal Violations Reports for any inappropriate activity;\nfollow-up is notated on the report.\nAdditionally, on a periodic basis an ISSR reviews a report of all InvestOne user IDs that have not\nbeen used to access InvestOne accounting system within a predetermined number of days 11 . The\nISSR follows up with any affected users by email or by phone.\nAdditionally, OPDA recertifies access to mission critical systems by verifying access privileges\nfor all InvestOne and FedInvest users. DSPS ISSRs remove any user IDs or access privileges\nidentified for deletion by the user\xe2\x80\x99s manager/supervisor or DFI personnel when accompanied by a\nrevoke form.\n\nFund Agency Control Considerations\n\nFund Agencies should establish controls to:\n\n\xe2\x80\xa2      Ensure access to the FedInvest system is restricted to properly authorized individuals.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. Inspected the relevant Certification and Accreditation (C&A) of the InvestOne and FedInvest\n   systems and determined that the system had been authorized to operate.\n\n2. Inspected the InvestOne and FedInvest risk assessment and determined that a risk assessment\n   was performed.\n\n3. Inspected the InvestOne and FedInvest security plan and determined that the plan was\n   documented.\n\n4. Observed a user log into the InvestOne accounting system and the FedInvest system and\n   noted that their access was restricted in accordance with the system configuration.\n\n5. For each new InvestOne user, compared access granted to an OPDA Organization Chart and\n   determined that access privileges were commensurate with job responsibilities.\n\n6. Inspected security guidelines and procedures for InvestOne and FedInvest and determined\n   that logical access procedures were documented.\n\n7. Inspected a list of users with administrator access privileges to InvestOne and FedInvest and\n   determined that access was limited commensurate with job responsibilities.\n\n8. Inspected an organizational chart and determined that administrator access was\n   commensurate with job responsibilities.\n\n9. Inspected security guidelines and procedures for InvestOne and FedInvest and determined\n   that logical access controls procedures were documented.\n\n10. Inspected password settings for InvestOne and FedInvest and determined that password\n    length, complexity, and expiration settings were configured in accordance with BPD\n    requirements.\n\n11\n     A list of InvestOne users that have not logged into InvestOne (b) (2)           is reviewed (b) (2) .\n\n                                                      28        Control Objectives, Related Controls, and\n                                                                         Tests of Operating Effectiveness\n\x0c11. Observed a user log into InvestOne and FedInvest and determined that their password was\n    masked as they entered it.\n\n12. For a selection of new InvestOne users, inspected documented user access request forms and\n    determined that access was authorized.\n\n13. For a selection of new FedInvest users, inspected documented user access request forms and\n    determined that access was authorized by DFI and the user\xe2\x80\x99s supervisor.\n\n14. Inspected a list of all separated and transferred BPD employees and lists of InvestOne and\n    FedInvest user IDs and determined that access to InvestOne and FedInvest had been revoked\n    for terminated and transferred BPD employees.\n\n15. For a selection of weeks, inspected reports listing InvestOne security administrator actions\n    entered into the system and determined that the reports were reviewed by an ISSR and any\n    exceptions were followed-up.\n\n16. For a selection of weeks, inspected ACF2 InvestOne audit log reports and evidence of\n    review, and determined that the reports were reviewed by an ISSR and any exceptions were\n    followed-up.\n\n17. For a selection of months, inspected evidence of review and removal of inactive accounts and\n    determined that inactive user accounts were reviewed and removed on a monthly basis.\n\n18. Inspected documentation of the review and recertification of internal InvestOne and\n    FedInvest user access and determined that internal InvestOne and FedInvest user access were\n    reviewed and recertified.\n\n19. For a selection of external FedInvest users, inspected documentation of the review and\n    recertification of external FedInvest user access and determined that external FedInvest user\n    access were reviewed and recertified.\n\n20. For a selection of user account recertification reviews requesting removal of user access\n    privileges, inspected InvestOne and FedInvest user lists, and determined that requested\n    modifications were made.\n\n\nNo exceptions noted.\n\n\n\n\n                                             29        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 6 \xe2\x80\x93 Computer Operations\nControls provide reasonable assurance that computer processes are scheduled appropriately and\ndeviations are identified and resolved.\nDescription of Controls\nThe InvestOne accounting system is an interactive mainframe system with master data files that\nare updated when entries are posted. End-of-day processes perform maintenance to the data\ntables and data backups. OIT support personnel complete the Production Control Daily Checklist\nto verify the successful completion of end-of-day processes. Data entry error checking and input\nscreen designs help ensure that the data entered by the users is accurate and complete. The error\nchecks include verification of entered data based on predetermined values and ranges. Errors\ndetected by the system are rejected immediately and must be corrected before the transaction is\npermitted to update the master data tables.\nDaily user operations procedures are posted for the InvestOne accounting system to provide\noperators with the information necessary to sequentially complete daily processing. Additionally,\na monthly calendar is posted that highlights the daily requirements. The InvestOne accounting\nsystem configuration requires that daily reporting be performed in sequence before transaction\nprocessing can begin. OIT completes the Production Control Monthly Checklist to verify the\nsuccessful completion of end-of-month processes.\nThe mainframe job scheduler software controls the scheduling of batch jobs for the InvestOne\naccounting system. The job scheduler allows all programs for batch processing, printing and data\nbackup to be scheduled and performed automatically. Access to the job schedules is limited to\nOIT support personnel and privileges are commensurate with job responsibilities. The job\nscheduler sends messages confirming successful completion of each day\xe2\x80\x99s scheduled jobs to OIT\nand DSPS. Any abends are also communicated to the appropriate OIT and OPDA personnel as\nthey happen through automated messages. Abends are resolved and jobs are restarted as\nnecessary through the job scheduler.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. For a selection of dates, inspected Production Control Daily Checklists and determined that\n   the checklists were used during processing.\n\n2. Inspected screenshots taken during the observation of the entry of transactions into the\n   InvestOne accounting system and determined that error checking edits prevented users from\n   entering values of the wrong data type or values not on lookup lists.\n\n3. Inspected posted daily user operations for InvestOne and FedInvest, the FIB Daily\n   Procedures, and the monthly requirements calendar and determined that these schedules and\n   procedures were available.\n\n4. For a selection of months, inspected the monthly requirements calendars and determined that\n   these schedules were available.\n\n5. For a selection of months, inspected Production Monthly Checklists and determined that the\n   checklists were used during month-end processing.\n\n6. Inspected the InvestOne accounting system job schedule and determined that a job production\n   schedule for InvestOne were documented.\n\n\n                                             30        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0c7. Inspected privileges of individuals granted access to make modifications to schedules and job\n   control language for production jobs in the mainframe job scheduler and inquired of\n   management regarding job responsibilities, and determined that access privileges were\n   limited commensurate with job responsibilities.\n\n\nNo exceptions noted.\n\n\n\n\n                                             31       Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0cControl Objective 7 \xe2\x80\x93 Network Performance Monitoring\nControls provide reasonable assurance that network performance monitoring techniques are\nimplemented appropriately.\nDescription of Controls\nUsers must be connected to the BPD Intranet to access the InvestOne accounting system.\nAdditionally they must run terminal emulation software to connect to the mainframe\nenvironments. Network performance and availability is monitored by OIT at all times. 12\n\nTests of Operating Effectiveness and Results of Testing\n\n1. Observed OIT Command Center staff and noted that monitoring tools were used to monitor\n   the performance and availability of BPD networking equipment, such as switches and\n   firewalls.\n\n2. Observed OIT Command Center staff and noted that tools were used to monitor the\n   performance and availability of the FedInvest website.\n\n3. Inquired of management and were informed that the OIT Command Center was staffed 24\n   hours a day.\n\n\nNo exceptions noted.\n\n\n\n\n12\n   Using the following utilities:\nA combination of monitoring tools (b) (2)                                                    are used to monitor networking\nequipment such as switches and firewalls. These tools automatically report any network equipment or application outages to the\nNetwork Operations Center.\n\n                                                           32          Control Objectives, Related Controls, and\n                                                                                Tests of Operating Effectiveness\n\x0cINVESTMENT/REDEMPTION PROCESSING CONTROLS\n\nControl Objective 8 \xe2\x80\x93 Item Processing Security\n\nControls provide reasonable assurance that an authorized investment authority is established prior\nto processing investment requests.\n\nDescription of Controls\n\nThe Office of the Fiscal Assistant Secretary (OFAS) prepares the Department of the Treasury\nOperating Circular (Operating Circular) that communicates the policies and procedures regarding\nthe government accounts on the books of the Treasury that the Secretary of the Treasury has been\nauthorized or directed by law to invest. The Operating Circular describes the government\ninvestment account responsibilities that the Treasury has, and the fiscal responsibility the Fund\nAgencies have, for the use of the invested funds.\n\nThe Operating Circular also describes the process for how Treasury issues approval of the Fund\'s\ninvestment authority. FIB creates new investment accounts in the InvestOne accounting system\nthat will be available in FedInvest after FIB receives confirmation that the BPD Chief Counsel\xe2\x80\x99s\noffice and Assistant General Counsel for Banking and Finance completed the legal review of the\nFund\xe2\x80\x99s investment authority or receives a completed Memorandum of Understanding (MOU)\nbetween Treasury\'s OFAS and the Fund Agency.\n\nBPD Chief Counsel\xe2\x80\x99s office maintains records concerning all legal matters with regards to new\nand existing investment funds\n\nFund Agency Control Considerations\n\nFund Agencies should establish controls to:\n\n\xe2\x80\xa2   Provide applicable legislation to FIB, and any subsequent legislation revisions, that\n    authorizes the Fund Agency to invest.\n\n\xe2\x80\xa2   Verify the authority to invest prior to submitting investment/redemption requests.\n\n\xe2\x80\xa2   Ensure that only authorized personnel sign requests or submit transactions in FedInvest.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. For a selection of new accounts, observed FIB process account requests and noted that FIB\n   approved investment account and obtained authorized investment authority in accordance\n   with the documented procedures.\n\n2. For a selection of investment accounts created during the examination period, inspected\n   documentation of approval from Treasury for their creation and determined that approval\n   from Treasury was received prior to the creation of investment accounts.\n\nNo exceptions noted.\n\n\n\n\n                                              33        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cControl Objective 9 \xe2\x80\x93 Item Capture\n\nControls provide reasonable assurance that investment and redemption requests are processed and\nrecorded accurately and prepared in a timely manner.\n\nDescription of Controls\n\nFund Agencies log on to FedInvest to enter their investment and redemption requests prior to the\n3:00 pm EST deadline (11:00 am EST for Zero Coupon Bonds). Investment options include: (1)\nMarket-based bills, notes, bonds, Treasury Inflation Protected Securities (TIPS); (2) One-day\ncertificates; (3) Par-value securities for agencies with proper legislative authority; and (4) Zero\nCoupon Bonds. Procedures for processing investment and redemption requests by FIB\naccountants on behalf of the Fund Agency are documented for each type of transaction. For new\nmarket-based securities auctioned by Treasury, FIB accountants manually set up the new\nsecurities with a Committee on Uniform Securities Identification Procedures (CUSIP) number\nassigned by the Treasury into the InvestOne accounting system. Zero Coupon Bond securities are\nmanually set up by FIB accountants with a CUSIP number assigned by the Treasury into the\nInvestOne accounting system only when an investment request is received by the agency. One-\nday and par-value securities are also set-up by an FIB accountant; however, the FIB accountant\nassigns a security number based on the security name and date of issue instead of a CUSIP\nnumber.\n\nWhen necessary, a Fund Agency can send investment/redemption requests by fax, email, or hard-\ncopy to FIB for processing on their behalf.              To ensure that the Fund Agency\xe2\x80\x99s\ninvestment/redemption requests are suitable and have been entered correctly into the system, two\nFIB accountants review and sign each request, in addition to the accountant who entered the\ntransaction into the FedInvest or InvestOne accounting system. The FIB accountants inspect the\nrequests to ensure that they include: name of fund, account symbol, date of request, amount, type\nof security to invest/redeem, and authorized signature of the Fund Agency manager or authorized\nagent. If the requests do not contain the required information, the FIB accountants contact the\nFund Agency to obtain the required information. Investment/redemption requests are processed\nas of the date on the requests.\n\nMarket-based securities \xe2\x80\x93 Office of Debt Management (ODM) provides FIB daily security price\nfiles for the market-based securities. These price files are calculated by ODM using Federal\nReserve Bank (FRB) of New York Treasury Price Quote files. FIB accountants perform daily\nprocedures to ensure the accuracy of the prices and for contingency planning in the event that\nODM price files are unavailable to FIB. FIB accountants obtain the FRB of New York Treasury\nPrice Quote files from a secure website using a digital certificate. The FIB accountant runs a\ndesktop COBOL program that uses the FRB of New York prices to calculate and prepare market-\nbased price files that can be loaded into the InvestOne accounting system. The desktop COBOL\nprogram also compares the calculated prices to the prices contained in the ODM files producing\nan exception report of any differences. In addition, an FIB accountant performs a yield curve\ncomparison to check for significant variances from the composite Bloomberg generic pricing\nsource obtained from the Bloomberg terminal. The FIB accountant notifies ODM of any price\ndifferences on the Exception Report and unusual variances identified from the yield curve\ncomparison and ODM provides FIB with certification of any necessary price corrections via\nemail. The FIB accountant loads the market-based prices into InvestOne accounting system and\nFedInvest by approximately 1:00 pm EST.\n\n\n\n                                              34        Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cOne-day securities \xe2\x80\x93 The FRB of New York provided FIB the daily rate for one-day certificates\nthrough November 2, 2008. Beginning November 3, 2008, ODM provides FIB the daily rate for\nthe one-day certificates in an email of daily market bid quotations on most recently auctioned\ntreasury bills. The one-day rate is the prior day\'s coupon equivalent of the shortest regularly\nissued treasury security, currently the 4 week bill. Each morning, a FIB accountant enters the\novernight interest rate for the one-day security into the InvestOne accounting system and\nFedInvest and a second accountant compares the InvestOne accounting system security definition\nscreens to the ODM email received to ensure the rate was recorded accurately.\n\nPar-value securities \xe2\x80\x93 On the first business day of each month, a FIB accountant creates the par-\nvalue securities in the InvestOne accounting system and FedInvest using the rates provided by the\nDivision of Accounting Operations (DAO) Principal and Interest Accounting Team (PIAT).\nPIAT prepares the rates for submission to FIB using rates provided by ODM and the average\nauction results of Treasury securities as specified in the pertinent legislation. Once the par-value\nsecurity rates are compiled, they are submitted to the PIAT team lead for review. The team lead\nreviews the rates prior to submission to FIB by comparing the rates on the form for submission to\nthe rates obtained from ODM and the security auction results tables. Once the securities have\nbeen created in the InvestOne accounting system using the rates obtained from PIAT, the FIB\naccountant compares the InvestOne accounting system security definition screens to the rates\nprovided by PIAT to ensure that the rates are recorded accurately and documents the review on\nthe assigned functions listing.\n\nZero Coupon Bond securities - ODM provides the Zero Coupon Bond pricing on an as needed\nbasis. Currently, only two Fund Agencies invest in Zero Coupon Bonds. FIB receives the Fund\nAgency instructions for the purchase/redemption of Zero Coupon Bonds through a FedInvest\nemail notification. A Fund Agency must enter Zero Coupon Bond purchase requests into\nFedInvest prior to 11:00 AM on the desired date. Once the purchase request has been entered,\nFedInvest sends an automated email to the FIB accountants and the FIB accountants forward the\nrequest to ODM for pricing. ODM prices the transaction at approximately noon and provides the\npricing data to FIB. A FIB accountant enters the applicable pricing data and posts the requested\ntransaction in InvestOne accounting system. Two other FIB accountants compare the pricing\ninformation from the InvestOne accounting system to the pricing data received from ODM to\nensure the pricing is accurately recorded. A confirmation is available in FedInvest to the\nFedInvest user. The preparer and reviewing FIB accountants initial the transaction confirmation\nto document their review.\n\nFund Agencies that have not authorized FIB to process investment transactions on their behalf\nneed to purchase new one-day securities each day using FedInvest (their investments are not\nautomatically rolled over). If an Agency cannot access FedInvest, the agency must request the\ninvestment via email, fax, or hard copy. FIB accountants process these overnight transactions as\ninstructed.\n\nInvestment Request Processing\n\nTo establish access to FedInvest, the Fund Agency completes a FedInvest Logon-ID Request\nform and provides the form to a supervisor for approval. The supervisor reviews and approves\nthe form and submits the form to FIB. FIB verifies that the information is complete then e-mails\nthe IT Service Desk to request that the user be added to Contact Management. Once IT Service\nDesk notifies FIB that the user has been added to Contact Management, FIB provides the user\nform to the DSPS ISSRs for user set-up in FedInvest. OIT provides the new user with their user\nID and temporary password and contacts the user to login to FedInvest with the temporary\n\n                                               35       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0cpassword, answer security questions, and change the password. FIB then coordinates FedInvest\ntraining with the new user. When a FedInvest user is terminated, the Fund Agency uses the\nabove stated form to revoke access and submits the approved form to FIB. FIB follows the same\nprocess stated above to revoke the user.\n\nFund Agency users access FedInvest using their user ID and password. The Fund Agency user\nselects the Account Fund Symbol (AFS), date, security type, and investment amount in\nFedInvest.\n\nBefore Prices Loaded \xe2\x80\x93 The FedInvest user may enter investment requests before prices are\nloaded in the system for up to 10 business days in the future except for Zero Coupon Bonds and\nSpecial Issue Certificates of Indebtedness. Upon submission of the request, the user receives a\nconfirmation number, which is proof to the customer that their request was accepted. When\nprices are loaded by the FIB accountant into the InvestOne accounting system, the FIB\naccountant uses the FedInvest RPA module to load the prices into FedInvest, publish them on the\nwebsite, and apply the prices to the pending investment transactions. Once the price has been\napplied to the transaction, it is automatically posted to the InvestOne accounting system and the\nconfirmation number is replaced with a memo number that is also on the confirmation available\nto the user in FedInvest.\n\nAfter Prices Loaded \xe2\x80\x93 The FedInvest user may enter investment requests after prices are loaded\ninto the InvestOne accounting system, except for Zero Coupon Bonds. Since FedInvest interfaces\nwith the InvestOne accounting system, the InvestOne accounting system automatically assigns a\nmemo number and applies the price/rate. A confirmation of results is available in FedInvest to\nFedInvest users.\n\nZero Coupon Bond securities \xe2\x80\x93 The FedInvest user may enter investment requests by 11:00 am\nEST. FedInvest sends the request by email to the FIB accountants who forward the request to\nODM for pricing. ODM prices the purchase of the Zero Coupon Bond at approximately 12:00\npm EST and forwards the results to FIB by email. The FIB accountant enters the pricing results\ninto the InvestOne accounting system, posts the transaction, and forwards the memo number to\nthe FedInvest user. A confirmation of results is available in FedInvest to the FedInvest user.\n\nFIB may receive investment requests via fax, email, or hard-copy from Fund Agencies when\nnecessary. A FIB accountant enters the request into FedInvest or InvestOne on behalf of the\nFund Agency. Then two FIB accountants compare the transaction confirmation to the investment\nrequest to ensure the investment request is recorded accurately, posted to the correct day, and\nthen initial the investment request to document their review. A confirmation of results is\navailable in FedInvest to the FedInvest user the same day.\n\nOn the following business day, a FIB accountant compares the InvestOne Spectra report (Prior\nDay Review) to the investment requests submitted by the Fund Agency to ensure transactions\nwere properly entered into the InvestOne accounting system. The FIB accountant documents this\nreview by signing the investment request.\n\nRedemption Request Processing\n\nTo establish access to FedInvest, the Fund Agency completes a FedInvest Logon-ID Request\nform and provides the form to a supervisor for approval. The supervisor reviews and approves\nthe form and submits the form to FIB. FIB verifies that the information is complete then e-mails\nthe IT Service Desk to request that the user be added to Contact Management. Once IT Service\n\n                                             36        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cDesk notifies FIB that the user has been added to Contact Management, FIB provides a copy of\nthe FedInvest Logon-ID Request form to the DSPS ISSRs for user set-up in FedInvest. OIT\nprovides the new user with their user id and temporary password and contacts the user to login to\nFedInvest with the temporary password, answer security questions, and change the password.\nFIB then coordinates FedInvest training with the new user. When a FedInvest user is terminated,\nthe Fund Agency uses the above stated form to revoke access and submits the approved form to\nFIB. FIB then goes through the same process stated above to revoke the user.\n\nFund Agency users access FedInvest using their user ID and password. The Fund Agency user\nselects the AFS, date, inventory method (First-In First-Out (FIFO) or Specific ID), security type,\nand redemption amount in FedInvest.\n\nBefore Prices Loaded \xe2\x80\x93 The FedInvest user may enter Market-based bill, note, and bond\nredemption requests using the FIFO inventory method before prices are loaded in the system for\nup to 10 business days in the future. Upon submission of the request, the user receives a\nconfirmation number which is proof to the customer that their request was accepted. When prices\nare loaded by the FIB accountant into the InvestOne accounting system, the FIB accountant uses\nthe FedInvest RPA module to load the prices into FedInvest, publish them on the website, and\napply the prices to the pending redemption transactions. Once the price has been applied to the\ntransaction, it is automatically posted to the InvestOne accounting system evidenced by the\nreplacement of the confirmation number with a memo number that is also on the confirmation\navailable to the user in FedInvest.\n\nAfter Prices Loaded \xe2\x80\x93 The FedInvest user may enter Market-based bill, note, bond and TIPS\nredemption requests using the FIFO or Specific ID inventory methods after prices are loaded in\nthe InvestOne accounting system and FedInvest. If Fund Agencies have tax lots (a group of the\nsame securities purchased on different dates) and decide to apply the specific identification\nmethod rather than the FIFO method to redeem from specific tax lots, Fund Agencies need to\nselect \xe2\x80\x9cSpecific ID\xe2\x80\x9d inventory method to override the InvestOne accounting system default\nsetting of the FIFO method, and enter the principal amount to redeem for each tax lot. Since\nFedInvest interfaces with the InvestOne accounting system, the InvestOne accounting system\nautomatically assigns a memo number and applies the price/rate. A confirmation of results is\navailable in FedInvest to FedInvest users.\n\nPar-value securities - Special par-value securities have unique redemption rules that require the\nInvestOne accounting system to redeem them based on the order of earliest maturity date, lowest\nprevailing interest rate, and FIFO. The FedInvest user receives a confirmation with a\nconfirmation number and a message that the redemption rules will be applied in accordance with\nTreasury Fiscal Policy. The transaction will be pending until after the close of business on the\neffective date. At close of business (after 3:00 pm EST) on the effective date of the redemption,\nthe FIB accountant uses the FedInvest RPA module to run the Post Par Value Sell Transactions\nthat will process, post, and assign memo numbers to the pending redemption requests in the\nInvestOne accounting system using the unique redemption rules. A confirmation of results is\navailable in FedInvest to FedInvest users.\n\nZero Coupon Bond securities \xe2\x80\x93 The FedInvest user must enter redemption requests into FedInvest\n(by 11:00 am EST) and FedInvest sends an email to the FIB accountants who forward the request\nto ODM for pricing. ODM prices the redemption of the Zero Coupon Bond at approximately\n12:00 pm EST and forwards the results to FIB via email. The FIB accountant enters the pricing\nresults into the InvestOne accounting system, posts the transaction, and forwards the memo\n\n\n                                              37       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cnumber to the FedInvest user. A confirmation of results is available in FedInvest to the FedInvest\nusers.\n\nFIB may receive redemption requests via fax, email, or hard-copy from Fund Agencies when\nnecessary. A FIB accountant enters the request into FedInvest or the InvestOne accounting\nsystem on behalf of the Fund Agency. Then two FIB accountants review and initial the\nredemption request. A confirmation of results is available in FedInvest to the FedInvest user the\nsame day.\n\nOn the following business day, a FIB accountant compares the InvestOne Spectra report (Prior\nDay Review) to the redemption requests submitted by the Fund Agency to ensure transactions\nwere properly entered into the InvestOne accounting system. The FIB accountant documents this\nreview by signing the redemption request.\n\nInvestment Maturity Processing\n\nIf Fund Agencies do not redeem securities prior to the maturity date, the InvestOne accounting\nsystem automatically matures the securities on the maturity date. A confirmation of results is\navailable in FedInvest to the FedInvest user. Each business day, a FIB accountant runs a report\nfor all one-day investments from the previous business day and the current day\'s maturities,\nreviews the report to make sure that all one-day investments matured and paid interest, and\ndocuments approval by initialing the daily checklist.\n\nFund Agency Control Considerations\n\nFund Agencies should establish controls to:\n\n\xe2\x80\xa2   Ensure that the submission of investment/redemption requests in FedInvest is accurate and\n    completed prior to 3:00 pm EST (11:00 am EST for Zero Coupon Bonds).\n\n\xe2\x80\xa2   Notify FIB if the investment/redemption requests have been processed incorrectly so that\n    correcting transactions may be processed before 3:00 pm EST.\n\n\xe2\x80\xa2   Review investment/redemption/maturity/interest confirmations and Monthly Statements of\n    Account to ensure that each request was processed accurately, timely, and in accordance with\n    their instructions.\n\n\xe2\x80\xa2   Ensure that access to FedInvest is restricted to properly authorized individuals.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. Observed the FIB accountant upload the price file for market-based securities into the\n   InvestOne accounting system and determined that the FIB Accountant followed the\n   established polices and procedures.\n\n2. For a selection of business days, inspected documentation of the daily procedures performed\n   by the FIB accountants regarding the market-based securities pricing and determined that the\n   FIB accountants followed the established policies and procedures, as evidenced by the FIB\n   accountants\xe2\x80\x99 sign off on the daily procedures checklist.\n\n\n\n\n                                               38        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0c3. For a selection of business days, inspected the daily procedures checklist and determined that\n   the FIB accountants performed a yield curve comparison to identify significant variances\n   between the ODM price file for market-based securities and the composite Bloomberg\n   generic pricing source obtained from the Bloomberg terminal.\n\n4. For a selection of business days, inspected the daily procedures checklist and determined that\n   the FIB accountant ran the desktop COBOL program that compares the FIB calculated prices\n   for market-based securities to the prices contained in the ODM files producing an exception\n   report of any differences.\n\n5. For a selection of business days, inspected the daily procedures checklist and InvestOne\n   security definition screens and determined that a second FIB accountant reviewed the loaded\n   overnight interest rate for one-day securities into the InvestOne accounting system and\n   FedInvest by comparing the InvestOne accounting system security definition screens to the\n   ODM email to ensure the rate was recorded accurately.\n\n6. For a selection of months, inspected documentation of the PIAT provided pricing for par-\n   value securities and determined that the PIAT team leader reviewed the rates provided to FIB,\n   the FIB accountant accurately loaded the rates into the InvestOne accounting system, and a\n   second FIB accountant compared the rates from the InvestOne accounting system security\n   definition screens to the rates provided by PIAT to ensure the rate was accurately recorded.\n\n7. For a selection of investments and redemptions of Zero Coupon Bonds, inspected the\n   transaction confirmation from FedInvest and determined that: the pricing information\n   provided by ODM was accurately recorded into the InvestOne accounting system, two other\n   FIB accountants reviewed the pricing information to ensure accuracy, and the transaction was\n   recorded accurately and in a timely manner.\n\n8. Inspected investment/redemption processing request procedures and observed the FIB\n   accountant process investment/redemption requests and determined that FIB processed\n   investment/redemption requests in accordance with the established procedures.\n\n9. For a selection of investment/redemption requests, inspected signed Request for\n   Investment/Redemption forms or emailed authorization and determined that: FIB was\n   authorized by the Fund Agency to process each investment/redemption request prior to entry\n   into the InvestOne accounting system, the documented procedures were followed, the\n   investment/redemption request was initialed by the accountant recording the entry, the entry\n   was properly reviewed and initialed by two other FIB accountants after entry into the\n   InvestOne accounting system, a comparison of each request form to an InvestOne Spectra\n   report was documented by an FIB accountant, the request was recorded accurately and in a\n   timely manner, and documentation is maintained and available.\n\n10. For a redemption request entered through FedInvest, inspected the confirmation and\n    determined that the redemption was recorded accurately and processed as requested in a\n    timely manner.\n\n11. For an investment request entered through FedInvest, observed the InvestOne accounting\n    system automatically assign a memo number, apply the price/rate, and generate and post an\n    on-line confirmation, and determined that the request was recorded accurately and processed\n    in a timely manner.\n\n\n\n                                             39        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0c12. Observed the FIB accountant use the FedInvest RPA module to run the Post Par Value Sell\n    Transactions and process, post, and assign memo numbers to the pending redemption\n    requests in the InvestOne accounting system using the redemption rules for par-value\n    securities and determined that the FIB accountant followed the established polices and\n    procedures. Further, reperformed the system\xe2\x80\x99s selection of the security redeemed for one\n    Fund Agency redemption request and determined that the system properly applied the\n    redemption rules for par-value securities.\n\n13. For a selection of business days, inspected documentation of the daily procedures performed\n    by the FIB accountants regarding par-value security redemptions and determined that the FIB\n    accountants followed the established policies and procedures, as evidenced by the FIB\n    accountants\xe2\x80\x99 sign off on the daily procedures checklist.\n\n14. For a selection of business days, inspected documentation of the daily procedures performed\n    by the FIB accountants and determined that the FIB accountant ran a report for all one-day\n    investments from the previous business day and the current day\xe2\x80\x99s maturities, reviewed the\n    report to ensure that all one-day investments matured and paid interest, and documented\n    approval by initialing the daily checklist.\n\n15. For a matured investment, inspected the corresponding confirmation and determined that the\n    InvestOne accounting system automatically matured the security on the maturity date,\n    accurately recorded the transaction in a timely manner, and posted an on-line confirmation on\n    FedInvest.\n\nNo exceptions noted.\n\n\n\n\n                                             40        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 10 \xe2\x80\x93 Confirmations\n\nControls provide reasonable assurance that confirmations are processed in a timely and accurate\nmanner.\n\nDescription of Controls\n\nThe InvestOne accounting system assigns a memo number for transactions entered in FedInvest\nthat are posted immediately into the InvestOne accounting system.\n\nA confirmation number is created for each transaction entered into FedInvest that is not processed\nimmediately upon entry (e.g., market based transactions before prices are loaded, Zero Coupon\nBonds, and special issue par-value redemptions) to notify the user that the transaction is in the\nprocessing queue. Once transactions are processed into the InvestOne accounting system, the\nInvestOne accounting system assigns an individual memo number that replaces the confirmation\nnumber. Memo numbers are provided to Fund Agency FedInvest users through the interface\nbetween FedInvest and the InvestOne accounting system.\n\nFor each entry into the InvestOne accounting system, the system automatically generates and\nposts an on-line confirmation of the transaction available in FedInvest for Fund Agency\nreconciliation. Fund agencies access FedInvest using their user ID and password to obtain\nconfirmations.\n\nFund Agency Control Considerations\n\nFund Agencies should establish controls to:\n\n\xe2\x80\xa2   Track investment/redemption confirmations to ensure that the Fund Agency FedInvest user\n    correctly processes all requests.\n\n\xe2\x80\xa2   Review and reconcile all transaction confirmations to determine that they are accurate and\n    complete, and report discrepancies to FIB so correcting transactions may be processed before\n    3:00 pm EST.\n\n\xe2\x80\xa2   Ensure that access to FedInvest is restricted to properly authorized individuals.\n\n\xe2\x80\xa2   Review investment/redemption/maturity/interest confirmations and Monthly Statements of\n    Account to ensure that each request was processed accurately, timely, and in accordance with\n    their instructions.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. For an investment request, a redemption request, and a maturity of securities, inspected\n   FedInvest and determined that FedInvest automatically generated and posted an on-line\n   confirmation that accurately reflected the transaction and indicated that the transaction was\n   processed accurately and timely.\n\n2. For an investment request, a redemption request, and a maturity of securities, observed the\n   processing of transactions in the InvestOne accounting system and noted that the InvestOne\n   accounting system automatically assigned a memo number and the request was recorded\n   accurately and in a timely manner.\n\n                                               41        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0c3. For an investment request entered into FedInvest but not immediately processed into the\n   InvestOne accounting system (due to the fact that pricing information was not yet loaded),\n   observed FedInvest and noted that a confirmation number was automatically assigned and an\n   on-line confirmation indicated that the transaction was in the processing queue. Observed\n   FedInvest after the pricing information was loaded and noted that the confirmation number\n   assigned upon data entry was replaced with a memo number and that the request was\n   recorded accurately and in a timely manner.\n\nNo exceptions noted.\n\n\n\n\n                                           42       Control Objectives, Related Controls, and\n                                                             Tests of Operating Effectiveness\n\x0cControl Objective 11 \xe2\x80\x93 Fund Balance Adjustment\n\nControls provide reasonable assurance that Fund Agency account balance adjustments, due to\nerrors in processing or Fund Agency errors, are processed completely and accurately.\n\nDescription of Controls\n\nFund Agencies should detect errors by reviewing confirmations. Fund Agencies notify FIB of the\nerrors and send adjustment information. FIB maintains a documented procedure detailing the\nsteps that need to be performed when making a correction or adjustment.                     The\nCorrection/Adjustment Check List documents the tasks that generally need to be completed when\nmaking a correction or adjustment. When necessary, a FIB accountant enters an adjustment or\ncorrects the original transaction in the InvestOne accounting system. The InvestOne accounting\nsystem processes the adjustment and a confirmation of the adjustment or corrected transaction is\navailable in FedInvest to the FedInvest user.\n\nThe FIB accountant prepares a correction package and completes the Correction/Adjustment\nCheck List when adjustments are necessary. Two other FIB accountants, (the team leader and a\nreviewing FIB accountant), review and approve the correction package and any transactions\nposted to InvestOne, PARS, and/or IPAC, as applicable. The review and approval process is\ncompleted by determining the necessary steps on the Correction/Adjustment Check List have\nbeen performed.\n\nA FIB accountant runs a report from the FIB Menu (a COBOL collection of desktop programs) to\ncreate Monthly Statements of Account, which documents all transactions processed for a\nparticular month, including any necessary adjustments. The Monthly Statement of Account is\nmade available in FedInvest and on the BPD\xe2\x80\x99s TreasuryDirect website for review by the Fund\nAgencies.\n\nFund Agency Control Considerations\n\nFund Agencies should establish controls to:\n\n\xe2\x80\xa2   Review investment/redemption/maturity/interest confirmations and Monthly Statements of\n    Account to ensure that each request was processed accurately, timely, and in accordance with\n    their instructions.\n\n\xe2\x80\xa2   Review adjustments and make prompt and appropriate journal entries to the accounting\n    records, to adjust the investment and interest account balances.\n\n\xe2\x80\xa2   Review Monthly Statements of Account to verify that adjustments were processed completely\n    and accurately.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. Inspected written procedures and observed the processing of error corrections and determined\n   that the corrections were performed in accordance with the established procedures.\n\n2. For a selection of account balance adjustments, inspected the Fund Agency\xe2\x80\x99s adjustment\n   request and the Correction/Adjustment Check List and determined that two FIB accountants\n\n\n\n                                              43      Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0c   documented their review of each adjustment request and that the request was processed\n   completely and accurately.\n\n3. Observed the FIB accountant prepare and post the Monthly Statement of Account for one\n   month and determined that the FIB accountant followed the established policies and\n   procedures.\n\n4. For a selection of Monthly Statements of Accounts, inspected the Monthly Statements of\n   Account on FedInvest and determined that they were posted by the first working day after the\n   end of the month and were made available for review to the Fund Agencies.\n\n5. For a selected adjustment, inspected the respective Monthly Statement of Account and\n   determined that the Monthly Statement of Account indicated that the adjustment was\n   processed accurately.\n\nNo exceptions noted.\n\n\n\n\n                                            44        Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0cControl Objective 12 \xe2\x80\x93 Recordkeeping\n\nControls provide reasonable assurance that support related to the investment accounts is\ndocumented and readily available.\n\nDescription of Controls\n\nTransaction confirmations and the Monthly Statements of Account containing InvestOne\naccounting system data are available in FedInvest to the FedInvest users. The Monthly Statement\nof Account is also available on the TreasuryDirect website. FIB maintains file copies of the\ninvestment/redemption requests that were processed by FIB on behalf of the Fund Agency.\n\nOn a daily basis, FIB receives market-based security price files from ODM and FRB of New\nYork, Zero Coupon Bond pricing as needed from ODM, and a daily email for the one-day\ncertificate rate from the FRB of New York through November 2, 2008 and from ODM beginning\nNovember 3, 2008. On a monthly basis, FIB receives via email the par-value security rates from\nPIAT. These quotations document the security prices/rates and are retained for future reference\nfor a period of seven years in accordance with the BPD document retention policies. FIB files\nand retains Daily Principal Totals Reports, which detail all daily principal transactions and are\nreconciled to the Balances-Summary (DIST) report daily.\n\nFIB maintains copies of the Notification of Principal & Interest (P&I) Credit, which report\nprincipal and interest activity on certain Marketable or Agency Security investments held at FRB\nof New York. Each month, FIB prepares the Standard Form 1132, Investment Funds Summary\nHolding Report (SF1132), Standard Form 1133-1, Marketable Securities Held by GAS Agencies\n(SF1133-1), and Standard Form 1134-1 Agency Securities Held by GAS Agencies (SF1134-1)\nreports, which document each Fund Agency\xe2\x80\x99s account balance including securities held in\nsafekeeping at FRB New York. These reports are published on the TreasuryDirect website.\n\nTests of Operating Effectiveness and Results of Testing\n\n1.   For a selection of Monthly Statements of Accounts, inspected the Monthly Statements of\n     Accounts and determined that the reports were maintained and readily available.\n\n2.   For a selection of investment/redemption requests, inspected the confirmations and\n     determined that confirmations were maintained and readily available.\n\n3.   For a selection of investment/redemption requests, inspected the request for\n     investment/redemption forms and determined that documentation was maintained and\n     available.\n\n4.   For a selection of dates, inspected the Daily Principal Totals Reports and determined that\n     the FIB accountants reconciled the reports to the Balances-Summary (DIST) report, the\n     reconciliation was mathematically correct and documented, and the documentation was\n     maintained and available.\n\n5.   For a selection of transactions or dates, inspected pricing records and determined that\n     pricing documentation was maintained and available.\n\n6.   For a selection of months, inspected the Notification of P&I Credit and determined that the\n     documentation was maintained and available.\n\n\n                                             45        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0c7.   For a selection of months, inspected the SF1132, SF1133-1, and SF1134-1 reports and\n     determined that the reports were maintained and readily available.\n\nNo exceptions noted.\n\n\n\n\n                                         46       Control Objectives, Related Controls, and\n                                                           Tests of Operating Effectiveness\n\x0cControl Objective 13 \xe2\x80\x93 Segregation of Duties\n\nControls provide reasonable assurance that the duties of authorizing, processing information, and\nverifying documents are appropriately segregated.\n\nDescription of Controls\n\nFIB has established policies and procedures documenting that the following responsibilities are\nsegregated for Fund Agencies using FedInvest:\n\n    \xe2\x80\xa2   Fund Agencies are responsible for requesting access to FedInvest.\n    \xe2\x80\xa2   External FedInvest users must have their supervisor\xe2\x80\x99s approval along with OPDA ISSR\n        approval documented on an Access Request/Revoke form before access is granted to\n        FedInvest.\n    \xe2\x80\xa2   Access permissions are assigned to FedInvest and the InvestOne accounting system users\n        commensurate with their job responsibilities.\n    \xe2\x80\xa2   Fund Agencies access FedInvest and submit investment purchase and redemption\n        requests.\n    \xe2\x80\xa2   FedInvest interfaces with the InvestOne accounting system which processes and posts the\n        investment and redemption requests and provides the data for the confirmations that are\n        available in FedInvest to the FedInvest users.\n\nFIB has established policies and procedures documenting that the following responsibilities are\nsegregated when FIB processes transaction requests on behalf of the Fund Agencies:\n\n    \xe2\x80\xa2   Fund Agencies prepare and submit investment/redemption requests to FIB via fax, email,\n        or hard copy form.\n    \xe2\x80\xa2   FIB personnel enter the investment purchase or redemption request into FedInvest or the\n        InvestOne accounting system.\n    \xe2\x80\xa2   The InvestOne accounting system processes the investment and redemption requests and\n        provides the data for the confirmations that are available in FedInvest to the FedInvest\n        users.\n    \xe2\x80\xa2   To verify that transactions have been processed accurately, two FIB accountants other\n        than the one who entered the transaction will review and compare a copy of the\n        investment/redemption request from the Agency to the data entered into the InvestOne\n        accounting system. Both the accountant entering the transaction and those reviewing it\n        initial the file copies to document that the procedure has been performed.\n    \xe2\x80\xa2   On the following business day, an FIB accountant compares the InvestOne Spectra report\n        (Prior Day Review Report) to the investment/redemption request submitted by the Fund\n        Agency to ensure transactions were properly entered into the InvestOne accounting\n        system. The FIB accountant documents completion of this review by signing the\n        investment/redemption request.\n\nFund Agency Control Considerations\n\nFund Agencies should establish controls to:\n\n\xe2\x80\xa2   Ensure that access to FedInvest is restricted to properly authorized individuals.\n\n\n\n\n                                               47        Control Objectives, Related Controls, and\n                                                                  Tests of Operating Effectiveness\n\x0cTests of Operating Effectiveness and Results of Testing\n\n1. Inspected investment/redemption processing request procedures, observed the FIB accountant\n   process investment/redemption requests, and determined that FIB processed the requests in\n   accordance with the established procedures.\n\n2. For a selection of investment/redemption requests, inspected signed Request for\n   Investment/Redemption forms or emailed authorization and determined that: FIB was\n   authorized by the Fund Agency to process each investment/redemption request prior to entry\n   into the InvestOne accounting system, the documented procedures were followed, the\n   investment/redemption request was initialed by the accountant recording the entry, the entry\n   was properly reviewed and initialed by two other FIB accountants after entry into the\n   InvestOne accounting system, a comparison of each request form to an InvestOne Spectra\n   report was documented by an FIB accountant, the request was recorded accurately and in a\n   timely manner, and documentation is maintained and available.\n\nNo exceptions noted.\n\n\n\n\n                                            48        Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0cControl Objective 14 \xe2\x80\x93 Interest Calculation and Payments\n\nControls provide reasonable assurance that interest is calculated accurately and interest\nreinvestments are completed accurately.\n\nDescription of Controls\n\nInterest\n\nFIB has documented the methods for calculating interest for Government Account Series\nsecurities in written desktop procedures. One-day securities pay interest daily, par-value\nsecurities pay interest semi-annually on June 30 and December 31, and market-based notes,\nbonds and TIPS pay interest semi-annually on various dates. The market-based bills and Zero\nCoupon Bonds do not pay periodic interest and therefore interest income is equal to the discount\nearned. The InvestOne accounting system calculates the amount of interest to be paid when\nholdings are redeemed or interest payments are due. The InvestOne accounting system calculates\ninterest based on the investment terms in the system in accordance with the requirements of 31\nCFR Chapter II, Part 306, Subpart E, and Part 356, Appendix B, with the exception of one-day\nsecurities. The InvestOne accounting system calculates interest for one-day securities using the\nrate that FIB receives from FRB New York/ODM.\n\nThe InvestOne accounting system reports the results of the calculations on confirmations\navailable in FedInvest for Fund Agency reconciliation and re-computation. The confirmation\ngeneration process is summarized as follows.\n\nFund Agencies access FedInvest using their user ID and password. Since FedInvest interfaces\nwith the InvestOne accounting system, the InvestOne accounting system data is displayed on the\nconfirmations that are immediately available in FedInvest to the FedInvest user.\n\nThe InvestOne accounting system also calculates certain accrued interest amounts and Inflation\nCompensation Earned (ICE) on the TIPS. The InvestOne accounting system calculates ICE in\naccordance with the requirements of 31 CFR Chapter II, Part 356, Appendix B.\n\nFIB accountants can verify the accuracy of the InvestOne accounting system interest calculations\nby manually recalculating interest for redemptions, maturities and semi-annual payment dates.\n\nA COBOL program uses extracted data from the InvestOne accounting system to generate\nMonthly Statements of Account (a cash basis statement that reflects the Agency\xe2\x80\x99s investment SF\n224 reporting, and shows interest income paid on each security). To create the Monthly Statement\nof Account, a FIB accountant runs the COBOL program for both tax lot and summary levels.\nThis creates two text files for each Fund. The FIB accountant uses version control software to\npublish the Monthly Statement of Account by Tax Lot in FedInvest for easy reference. The FIB\naccountant sends the summary level Monthly Statement of Account via email to PD Web Content\nManagement for review and publishing in FedInvest and on the TreasuryDirect website.\n\nFIB makes the Monthly Statements of Account and investment/redemption confirmations,\navailable to the Fund Agencies for reconciliation with their accounting records. In addition,\nprevious months\xe2\x80\x99 statements are available for reference purposes. If the Fund Agency identifies\nany errors, the Fund Agency should inform FIB so the necessary adjustments may be made.\n\n\n\n\n                                             49       Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0cAmortization of Premiums and Discounts\n\nThe InvestOne accounting system automatically calculates amortization of discount/premium\nbased on the investment terms in the system. FIB has documented the methods for calculating\nthe discount/premium amortization in written desktop procedures. The system calculates\namortization for market-based bills (i.e., short-term securities) using the straight-line method and\nfor market-based notes/bonds/TIPS/Zero Coupon Bonds (i.e., long-term securities), using the\nlevel yield method, which approximates the interest method. A COBOL program is used to\ncreate monthly Accrual Confirmation and Accrual Activity Reports for each account, which\ncontain the monthly amortization figures that are published in FedInvest for Fund Agency\nreconciliation and re-computation. To create the Accrual Confirmation and Accrual Activity\nReports, a FIB accountant selects and runs the \xe2\x80\x9caccrual report\xe2\x80\x9d option from the FIB report menu.\nThis generates two text files that include the Accrual Confirmation and Accrual Activity Reports\nfor each fund. The FIB accountant uses version control software to publish the Accrual\nConfirmation and Accrual Activity Reports in FedInvest for easy reference. In addition, previous\nmonths\xe2\x80\x99 statements are available for reference purposes. If the Fund Agency identifies any\nerrors, the Fund Agency should inform FIB so the necessary adjustments may be made.\n\nAccrued Interest\n\nThe InvestOne accounting system automatically calculates accrued interest based on the\ninvestment terms in the system. FIB has documented the methods for calculating the accrued\ninterest in written desktop procedures. The FIB Menu accrual report program reports the results\nof interest accruals in the monthly Accrual Confirmation and Accrual Activity Report and\npublishes the report in FedInvest for Fund Agency reconciliation and re-computation. To create\nthe Accrual Confirmation and Accrual Activity Reports, a FIB accountant selects and runs the\n\xe2\x80\x9caccrual report\xe2\x80\x9d option from the FIB report menu that generates two text files that include the\nAccrual Confirmation and Accrual Activity Reports for each fund. The FIB accountant uses\nversion control software to publish the Accrual Confirmation and Accrual Activity Reports in\nFedInvest for easy reference. In addition, previous months\xe2\x80\x99 statements are available for reference\npurposes. If the Fund Agency identifies any errors, the Fund Agency should inform FIB so the\nnecessary adjustments may be made.\n\nInterest Reinvestments\n\nFIB prepares an Investment Rollover Report for the Office of Fiscal Projections that includes\nprincipal balances from the InvestOne accounting system and interest accruals that are associated\nwith those balances as of the date of the report. For the December 31 interest payments on par-\nvalue securities, the money is reinvested into a certificate of indebtedness maturing the following\nJune 30. For June 30 maturities and interest payments, FIB receives written documentation from\neach agency that holds par-value securities that states how they want their interest and maturities\nreinvested. June 30 is the only date in which agencies can invest in longer term par-value\nsecurities (par-value bonds). OPDA reviews and approves the Investment Rollover Report for\naccuracy and sends the report to Treasury headquarters. The Fiscal Assistant Secretary of\nTreasury approves and returns the Investment Rollover Report for FIB to process on June 30.\nThe interest-reinvestment process for the non-par-value securities is the same as and subject to\nthe regular investment process discussed in Control Objective 9.\n\nFund Agency Control Considerations\n\nFund Agencies should establish controls to:\n\n                                               50       Control Objectives, Related Controls, and\n                                                                 Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   Ensure that the requested investment returns the appropriate amount of interest to meet their\n    investment income goals.\n\n\xe2\x80\xa2   Reconcile interest payments received as presented in the confirmations and Monthly\n    Statements of Account and recalculate interest for accuracy.\n\n\xe2\x80\xa2   Approve reinvestments of interest after review for accuracy, completeness, and compliance\n    with instructions.\n\n\xe2\x80\xa2   Recalculate interest accrual and amortization of premium and/or discount and compare the\n    results to the BPD provided monthly Accrual Confirmation and Accrual Activity Reports.\n\n\xe2\x80\xa2   Report any interest accrual discrepancies noted on the monthly Accrual Confirmation and\n    Accrual Activity Reports to BPD for resolution.\n\n\xe2\x80\xa2   Report any premium and/or discount amortization discrepancy noted on the monthly Accrual\n    Confirmation and Accrual Activity Reports to BPD for resolution.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. Inspected interest calculation procedures and determined that interest calculation transactions\n   were processed in accordance with procedures.\n\n2. Inspected interest calculation procedures and determined that they were consistent with the\n   requirements of 31 CFR, Chapter II, Part 306, Subpart E and Part 356, Appendix B.\n\n3. For a selection of interest transactions including each type of GAS security other than one-\n   day securities, recalculated the interest amounts, amortization, and ICE and determined that\n   the system calculations were in accordance with the CFR requirements and mathematically\n   accurate.\n\n4. For a selection of one-day securities, recalculated the interest income and determined that the\n   system calculations were mathematically accurate and complied with the desktop procedures.\n\n5. For a selection of transactions processed in the InvestOne accounting system, inspected\n   confirmations and determined that subsequent to transactions posting in the InvestOne\n   accounting system, the system automatically generates and posts an on-line confirmation of\n   the transaction available in FedInvest to Fund Agencies.\n\n6. Inspected a confirmation and determined that the confirmation contained appropriate and\n   necessary information to allow for Fund Agency reconciliation and re-computation of\n   transactions.\n\n7. For a selection of Accrual Confirmation Reports, inspected FedInvest and determined that the\n   Accrual Confirmation Reports were available in FedInvest to Fund Agencies.\n\n8. Observed the FIB accountant generate an Accrual Confirmation Report and publish it in\n   FedInvest using version control software. We attempted to modify the published Accrual\n   Confirmation Report and determined that the modification of the report was prevented.\n\n\n\n\n                                              51       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0c9. For a selection of transactions from the Accrual Confirmation Reports, recalculated the\n   amortization of premium and discount and determined that the level yield method utilized by\n   FIB approximated the interest method.\n\n10. For a selection of Accrual Confirmation Reports, inspected the reports and determined that\n    they contained the necessary information for Fund Agencies to reconcile and re-compute\n    accruals and amortization and that the information documented was accurate.\n\n11. For a selection of Investment Rollover Reports, inspected the reports and determined that FIB\n    management documented its review and approval of each report prior to distributing it to the\n    respective Fund Agencies and that FIB maintained the written interest and maturities\n    reinvestment requests from the Fund Agencies.\n\n12. Inspected the June 2009 Investment Rollover Report and determined that FIB management\n    documented its review and approval of each rollover plan in the Investment Rollover Report\n    and the Assistant Secretary of the Treasury approved the report prior to processing.\n\n13. For a selection of par-value securities interest reinvestments, inspected the supporting\n    instructions and determined that reinvestments were completed in accordance with Fund\n    Agency instructions.\n\nNo exceptions noted.\n\n\n\n\n                                             52        Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0cControl Objective 15 \xe2\x80\x93 Statement Rendering\n\nControls provide reasonable assurance that monthly reports are processed in a timely and accurate\nmanner.\n\nDescription of Controls\n\nMonthly Statements of Account\n\nA FIB Menu program extracts data from the InvestOne accounting system to produce the\nMonthly Statement of Account that details cash basis reporting of a Fund Agency\xe2\x80\x99s beginning\nbalance, investment/redemption activity, unrealized discount, premium/discount recognized,\ninterest earnings, adjustments processed and ending balance for the month. These reports are\navailable in FedInvest and on the TreasuryDirect website by the 1st working day after the end of\nthe month to be accessed by Fund Agencies for transaction reconciliation, investment monitoring,\nand investment strategy initiatives. To create the report, the FIB accountant runs a COBOL\nprogram that uses InvestOne accounting system data to create text files of the Monthly\nStatements of Account at both the summary level and tax lot level for each fund. The FIB\naccountant uses version control software to publish the Monthly Statements of Account at the tax\nlot level in FedInvest for easy reference. The version control software protects the posted\ndocuments so that they are read-only access to the external user and cannot be modified once\npublished. In addition, previous months statements are available for reference purposes. If the\nFund Agency identifies any errors, the Fund Agency should inform FIB so the necessary\nadjustments may be made. FIB\xe2\x80\x99s policy requires that FIB accountants complete and forward\nMonthly Statements of Account at the summary level to PD Web Content Management for\nreview and publishing in FedInvest and on the TreasuryDirect website by the 1st working day\nafter the end of the month.\n\nPartial SF-224 Report\n\nFederal Program Agencies are required to report the monthly investment activity to Treasury,\nFinancial Management Service (FMS). This reporting is generally accomplished using the\nmonthly SF-224, Statement of Transactions. However, FIB is able to report daily investment\nactivity to FMS on behalf of the Fund Agencies by submitting FIB\'s daily IPAC file to FMS. FIB\ncreates the FIB daily IPAC file, which is a configured system report, using a mainframe job. The\nfile includes the Fund Agency\'s Treasury Account Symbol (TAS) and the Business Event Type\nCode (BETC) allowing the activity to be classified in the FMS Governmentwide Account\nStatement, eliminating the need for the monthly SF-224 report for investment transactions.\nAccording to the Treasury Financial Manual Bulletin No. 2007-03, FIB should be reporting the\ninvestment activity for all investment customers. FIB is currently transitioning all Fund Agencies\nto this process.\n\nAdditionally, FIB prepares a partial SF-224 on a monthly basis to report non-IPAC activity,\nwhich consists of reclassification entries. FIB creates the partial SF-224 report and file using a\nmainframe program and the InvestOne accounting system. FIB uploads the partial SF-224 file to\nFMS using the GWA system. FIB instructs agencies to obtain access to the FMS GWA Account\nStatement application in order to verify the activity submitted by FIB.\n\nFund Agency Control Considerations\n\nFund Agencies should establish controls to:\n\n                                              53       Control Objectives, Related Controls, and\n                                                                Tests of Operating Effectiveness\n\x0c\xe2\x80\xa2   Review FIB provided Monthly Statements of Account to ensure that transactions are recorded\n    accurately and timely, and report discrepancies to FIB so correction processes may occur.\n\n\xe2\x80\xa2   Reconcile investment activity from the FMS application Governmentwide Account\n    Statements to the FIB provided Monthly Statements of Account to verify that investment\n    activity is being properly reported by FIB on the Fund Agencies\xe2\x80\x99 behalf.\n\nTests of Operating Effectiveness and Results of Testing\n\n1. For a selection of Monthly Statements of Accounts, inspected the Monthly Statements of\n   Account on FedInvest and determined that they were posted by the first working day after the\n   end of the month.\n\n2. For a selection of transactions, inspected the respective Monthly Statements of Account and\n   determined that the transactions were accurately reflected in the Monthly Statements of\n   Account.\n\n3. Observed the FIB accountant generate a Monthly Statement of Account and publish it in\n   FedInvest using version control software. For a selection of posted Monthly Statements of\n   Account, attempted to modify the published Monthly Statement of Account and determined\n   that the modification of the statement was prevented.\n\n4. Observed the FIB accountant process the daily IPAC file and determined that the file\n   contained the Fund Agency\'s Treasury Account Symbol and the Business Event Type Code.\n\n5. For a selection of business days, inspected documentation of the daily procedures performed\n   by the FIB accountants regarding the daily IPAC file submission and determined that the\n   accountants followed the established policies and procedures, as evidenced by the FIB\n   accountant\xe2\x80\x99s sign off on the daily procedures checklist.\n\n6. For a selection of monthly partial SF 224 submissions, inspected the partial SF 224\n   submissions and determined that the investment activity was reviewed by a FIB accountant\n   other than the preparer.\n\nNo exceptions noted.\n\n\n\n\n                                            54        Control Objectives, Related Controls, and\n                                                               Tests of Operating Effectiveness\n\x0c.\n\n\n\n\n    IV. OTHER INFORMATION PROVIDED BY THE\n           BUREAU OF THE PUBLIC DEBT\n\n\n\n\n                    55\n\x0cCONTINGENCY PLANNING\n\nSystem Back Up\n\nThe InvestOne accounting system has a contingency plan managed by the Division of Systems\nand Program Support (DSPS). There is a formal Division of Federal Investments (DFI)\nContinuity of Operations Plan (COOP), which is part of a larger COOP for the Office of Public\nDebt Accounting (OPDA) and the Bureau of the Public Debt (BPD). The Federal Investments\nBranch (FIB) performs tests on all essential daily InvestOne functions 13\n\nThe Office of Information Technology (OIT) performs backups of the InvestOne accounting\nsystem on a regular schedule. OIT retains the backup tapes according to a pre-set schedule 14 at\nan offsite facility. OIT stores one copy in the production tape library, and the other copy is\nshipped to an offsite facility. Long-term storage of tapes is provided through a contract with an\noffsite storage facility. If a backup tape needs to be restored, the request will be made from the\nDSPS. OIT will then load the backup tape.\n\nContinuity of Operations\n\nA fire alarm and sprinkler system that is managed, maintained, and tested by the building\nmanagement protects the data center 15 . Sprinkler heads are located in the ceiling of each room of\nthe buildings. This is a wet pipe (always charged with water) system with individual heads that\ndischarge water. 16\n\nThe DFI Business Continuity Plan calls for resumption of operations and critical applications of\nessential functions within a pre-set time frame 17 . The InvestOne accounting system has been\nclassified as a critical application.\n\nAs part of the DFI COOP Plan, should the facility supporting InvestOne and FedInvest become\nunavailable, designated FIB personnel will relocate 18 to reestablish their daily operations. When\napplicable, BPD will revert to manual procedures until the mainframe and InvestOne accounting\nsystem are fully recovered.\n\n\n\n\n13\n   FIB performs (b) (2) tests on all (b) InvestOne functions at OPDAs contingency site with the support of (b) FIB employees.\nThe focus of these tests is to provide(2)\n                                       assurances that connectivity can be made and these functions will continue\n                                                                                                                (2)with minimum\ninterruption during any emergency that may occur with or without warning.\n14\n   OIT uses (b) (2)                             to perform (b) backups of the system (b) (2) . (b) (2)\n                                                           retains the first backup (b) (2) .\n                                                     . OIT (2)\n   Alarms are active 24 hours a day, 7 days a week, and are tied in to the local fire department (b) (2)          for spontaneous\nnotification\n16\n   In the event the (b) building, where the InvestOne accounting system is run, becomes inoperable, mainframe operations would be\nrelocated to the BPD(2)contingency facility in accordance with the OIT data center recovery plan. This facility employs a (b) (2)\nstrategy for recovery of mainframe operations. OIT has contracted (b) (2)                                     to provide mainframe\nequipment for this site.\n17\n   (b)      time frame.\n18\n   To the (b) facility\n   (2)\n        (2)                                                  56                     Other Information Provided by the\n                                                                                            Bureau of the Public Debt\n\x0c  V. INDEPENDENT AUDITORS\xe2\x80\x99 REPORT ON\nCOMPLIANCE WITH LAWS AND REGULATIONS\n\n\n\n\n                 57\n\x0c                                KPMG LLP\n                                2001 M Street, NW\n                                Washington, DC 20036\n\n\n\n                                 Independent Auditors\xe2\x80\x99 Report\n\nInspector General, U.S. Department of the Treasury\nCommissioner, Bureau of the Public Debt and the\nAssistant Commissioner, Office of Public Debt Accounting\n\n\nWe have examined the accompanying description of the general computer and\ninvestment/redemption processing controls related to the Federal Investments Branch (FIB) of the\nBureau of the Public Debt (BPD) as of July 31, 2009, and have issued our report thereon dated\nSeptember 18, 2009. Our examination was performed in accordance with standards established\nby the American Institute of Certified Public Accountants, and applicable Government Auditing\nStandards, issued by the Comptroller General of the United States.\n\nOur examination included procedures to obtain reasonable assurance about whether (1) the\naccompanying description presents fairly, in all material respects, the aspects of BPD\xe2\x80\x99s controls\nthat may be relevant to a Fund Agencies\xe2\x80\x99 internal control as it relates to an audit of financial\nstatements; (2) the controls included in the description were suitably designed to achieve the\ncontrol objectives specified in the description, if those controls were complied with satisfactorily,\nand Fund Agencies and sub-service organizations applied the controls contemplated in the design\nof BPD\xe2\x80\x99s controls; and (3) such controls had been placed in operation as of July 31, 2009. The\ncontrol objectives were specified by the management of BPD. Our examination included those\nprocedures we considered necessary in the circumstances to obtain a reasonable basis for\nrendering our opinion.\n\nCompliance with laws and regulations applicable to FIB of BPD is the responsibility of BPD\nmanagement. As part of obtaining reasonable assurance about whether control structure policies\nand procedures tested were operating with sufficient effectiveness to achieve the related control\nobjectives during the period from August 1, 2008 to July 31, 2009, we performed tests of BPD\xe2\x80\x99s\ncompliance with certain provisions of applicable laws and regulations directly and materially\naffecting the general computer and investment/redemption processing controls. We limited our\ntests of compliance to these provisions and we did not test compliance with all applicable laws\nand regulations. The objective of our examination was not, however, to provide an opinion on\noverall compliance with such provisions. Accordingly, we do not express such an opinion.\n\nThe results of our tests disclosed no instances of noncompliance that are required to be reported\nherein under Government Auditing Standards.\n\nThis report is intended solely for the information and use of the management of BPD, its Fund\nAgencies, the independent auditors of its Fund Agencies, the U.S. Department of the Treasury\nOffice of Inspector General, the Office of Management and Budget, the Government\nAccountability Office, and the U.S. Congress, and is not intended to be, and should not be, used\nby anyone other than these specified parties.\n\n\n\n\nSeptember 18, 2009\n\n\n                                                              58\n\n                                   KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                   member firm of KPMG International, a Swiss cooperative.\n\x0c'